In my predictions for security in 2012, I pointed out that hand-in-hand with an increase in governmental control over the internet will come a spate of attacks from those that oppose such control.
I also harboured some concern over the industrial systems that control infrastructure such as water, sewage, electrical grid, public transport and so on. The year has actually started with a lot of tension around exactly such problems. Towards the end of 2011, Anonymous targeted US Government sites in response to SOPA, but these attacks have not ceased even though the original SOPA bill has been put on the backburner. But while the world has its eyes turned to the US, Ireland is busy pushing through its own SOPA-like legislation.
This hasn’t gone unnoticed, and of course the hacktivists have done their best to alert the world to their displeasure. Okay, so the hackers are out in force, and the governments of the world are up to their usual shenanigans, why did I bring up those industrial systems that lurk behind all of the infrastructure that keeps the wheels of civilization turning?
Just over two years ago, John Matherly, a web-app developer, came up with a plan to develop his own search engine. His goal wasn’t to try to compete with any existing search engines. Matherly set out to create a search engine that essentially hunts the internet for systems that are connected and most likely vulnerable. Okay, that description simplifies things a little, but I’m not going to waste too much time getting into the details of this. SHODAN is essentially a hacker’s paradise. By connecting to different systems on a range of different ports, SHODAN can collect “banner” information returned by the system. This helps SHODAN to identify the type of system that it has found, what ports it has open, what services it seems to be running, and what vulnerabilities might exist for it. If you want to give it a go, it may be worth checking out this set of slides for a quick tutorial.
If you haven’t encountered SHODAN before, it’s quite interesting, but its existence is old news. About a year ago, The Register reported that hackers were already using SHODAN to identify vulnerable SCADA systems that had been connected to the internet. At the time, many infosec professionals scoffed. I mean, how many critical infrastructure systems actually get connected to the internet, and what the hell for? Well, jump forward a year to January 2012 and we finally have a bit more of an idea. Eireann Leverett, a computer science doctoral student at Cambridge University, has spent the last year working on a tool that specifically hunts SHODAN for insecure or vulnerable ICSes (Industrial Control Systems). The number is quite astounding, 10 358 systems were logged as having signatures that identified them as your typical SCADA systems, and many of them seem to be open to easy hack attacks due to poor security practices.
That’s a lot of systems, and to be fair, Leverett played things safe and only worked toward gathering the information. He admits that he didn’t do anything to determine how many of the devices uncovered were actually working systems as opposed to demo systems or honeypots, and he can’t tell you how many of the systems are actually critical infrastructure attached to public resources or just your average system controlling heating and lighting in a building. Still, from a cursory exploration of some of the systems in his list, he was able to identify that at least some of them did actually belong to water facilities in Ireland and sewage facilities in California. What is probably most concerning is that only 17 percent of these systems require authorisation to connect. That means that administrators either aren’t aware that these systems are actually online and accessible via the internet, or their security practices are so poor that these systems are just overlooked.
Why are these types of systems even on the internet? I posted an article last year, that described how jobs are slowly being taken over by technology. These systems are actually fairly early examples of exactly the sort of menial labour that can be easily replaced by computer, but ultimately all of their controls and the data that they gather still need some form of administration. Since many of these systems are widely distributed, the obvious thing is to provide some form of networked access to them, so that administrators can control them remotely. Originally, most of these used dial-up modems and proprietary networking protocols, but over time this has proved costly to keep updated and requires a whole separate infrastructure which needs to be maintained and supported. In order to reduce costs and to be able to take advantage of newer technologies, most of these systems now have TCP/IP support, which means that they can be connected up to any standard network, and can ultimately be provided internet access.
You may be wondering exactly what sort of stuff people can do if they gain control of these types of systems. Leverett gives a few examples in his paper. For instance, back in 2008 a teenage boy took unauthorised command of the city tram control system in Lodz, Poland, using an adapted television remote control that was capable of switching tram vehicles from one set of tracks to another. The incident resulted in the derailing of four vehicles. Sure, this system wasn’t connected to the internet, but the principle is the same. In the same year, Tom Donahue, a CIA agent announced that he had information about electricity systems outside of the US that had been remotely compromised for extortion. Back in 2000, an Australian sewage plant was compromised on a variety of occasions, resulting in hundreds of gallons of raw sewage being pumped into rivers and parks. He also points out that in a routine scan of SCADA systems in a fabrication plant, one of the systems controlling a robotic arm had been left in standby mode. The scan triggered the arm to swing through 180 degrees. Another scan caused one of the SCADA systems to hang resulting in $50,000 worth of damage to the goods being manufactured.
Most chilling was the story of the StuxNet worm which was designed to attack ICS systems by copying itself across Windows systems with the final goal of somehow making its way onto a Siemens ICS. The story behind Stuxnet is still not entirely clear, and the perpetrators have still evaded capture, nonetheless it is now clear that different variants of Stuxnet mostly targeted Iranian organizations, with the probable target widely suspected to be uranium enrichment infrastructure in Iran. Siemens actually stated that while the worm had not caused any damage to its existing customers,the Iran nuclear program, which uses embargoed Siemens equipment procured clandestinely, had been damaged by Stuxnet.
Last year in the US, the TSA reported that in December hackers attacked one of the rail systems disrupting signals for two days. One of the trains was actually slowed on the tracks for a period during the 15 minutes that the system was compromised. Actually, if you’re interested in how the trains in the US work, you can do a bit of your own hacking and listen in on control system traffic. All you need is the ATCS Monitor tool and a scanner. You listen in on all the radio traffic for the train service, and pick up the control signals which the monitor can then turn into meaningful train routing maps. The difference here is that while you are listening in on things, you are not actually affecting how they work. The story mentioned by the TSA is worrying, because it means that people outside of the system have the potential to reroute trains.
While these stories are disturbing, there is always the chance that things are not what they seem. In one of my previous articles I mentioned that there had been reports that a SCADA system at a sewage plant in Illinois had been compromised. As it turns out, this story really does have a happy ending. The system in question had reached the end of its life and turned out to be faulty. An administrator who happened to be in Russia at the time, was contacted and asked to check on some data for the system. Nobody realised that he was in Russia at the time, so when they saw Russian IP addresses in the logs and then discovered the damaged system they naturally assumed they had been attacked. Its an amusing anecdote, but this doesn’t take away from the fact that the potential for these incidents to actually occur is all around us, and the motivation for hackers to take control of these systems is at a peak.
Recently, a data breach that resulted in an external contractor having direct access to the databases of two major New York energy utility providers resulted in the social security data and account information for nearly 2 million customers to have been exposed. While there is no evidence that this data has been published anywhere or used for nefarious purposes, there is some concern that this could have wider-reaching implications than a few simple cases of fraud. In 2010, Scientific American posted a story discussing how the US “smart” power grid lacks the security that it really needs. One of the points in the article was that customer data could actually be used to bring down the grid. Admittedly the suggestion is purely hypothetical, but the idea would be to inject smart meters with malware that could be used to create “botnet” type behaviours to manipulate load around the grid. Scientific American dramatically postulates that this could result in generators exploding. I don’t think I would go quite so far, but who knows?
What I’ve tried to get at in this article is that the lines between the physical world and the digital world are ever more blurred. Security is no longer simply about keeping some personal data or banking details safe. Computer systems are enmeshed into the fabric of our everyday existence, and all of these systems are on the Net. I believe that the hacking community is increasingly becoming involved in political activism, and as politicians get more involved in the digital world that is the traditional domain of the hacker, we are going to see the hacker get more involved in the physical world that is the traditional domain of the politician.