It was only recently that a major hack took place that targeted Internet infrastructure in the US with one of the largest DDoS attack ever recorded. The root cause was tracked back to overlooked security vulnerabilities in hundreds of thousands of compromised connected video cameras. Similar IoT-enabled cameras and sensors are driving forward the Smart City initiative that depends on these devices to manage the entire city’s infrastructure and assets.
Essentially, this dependency suggests that even the smallest of security weak points within the Smart City infrastructure can escalate security exploitation to unimaginable and uncontrollable levels.

 

Is a Smart City a Dumb Idea?

Just think about it a moment. If we take the concept of a Smart City to its goal, we have a very real potential for catastrophe if security vulnerabilities exist within the technology used.
Consider for a moment that a) by 2050 it is predicted that over 66% of the world population will live in an urban area and that b) smart technology is going to be the only way to manage these huge urban populations.
Smart cities are not simply a pipe dream, amusing on the potential of creating a digital utopia. They are going to be a fixed requirement for the changing shape of the global population. In effect, they are an unavoidable byproduct of the steady shift towards global urbanization.
So, what are the implications of a Smart City being hacked? In a worst-case scenario, we have death and mayhem. At the other end of the scale, we have day to day life for residents interrupted and hindered.

A Public Exposed to Harm Through Bad Technology

Currently, most successful hacks target network infrastructure that is responsible for carrying data. So, if one is successful, we might lose access to our favorite website or TV channel for a while. An annoyance, buy hardly life threatening.
Now fast forward, to a time when smart cities are helping to ease traffic by routing and possible driving our smart cars. When emergency services and law enforcement is centrally controlled and managed via smart technology. When public transport is scheduled and managed using tech. And when everything down to booking a tennis court at the local community center is the responsibility of the technology running the smart city.
Hackers for almost the very first time, can start getting physical in their attacks. These could be relatively harmless attacks such as block booking that tennis court for the next 100 years. But they could also be life threatening if they gain the ability to begin rerouting traffic whilst sending the emergency services elsewhere on a wild goose chase.
Smart cities are fast becoming a reality. However, the technology we are using to build these digital urban playgrounds is far from being secure. There is a clear and present danger in rolling out smart city deployments before the standardization of IoT device security is first specified, and then adhered to by every manufacturer.

It’s 3 months since some of the NSA’s top-secret hacking tools were dumped for public inspection by person or persons unknown. Various commentators and experts voiced theories about the motive and perpetrator. People such as Edward Snowden and security experts pointed fingers at Russia almost immediately. The picture of the event has changed somewhat in the intervening period and the salient facts have been re-examined in a different light:

• The suggested price for the remainder of the cache at $568 million was way too high to be credible. This indicated the likelihood of a simple publicity stunt rather than a serious attempt to obtain money.
• Some of the tools were zero-day exploits (tools that take advantage of unreported vulnerabilities) and could have fetched over $100,000 each on the black market instead of being given away for free. That would have been the obvious route to take if money were the objective.
• The timestamps indicated that the material was 3 years old. Although its authenticity has been corroborated, why keep it under wraps for that long?
• The FBI, who are leading the investigation, now say they believe it was accidentally exposed by an NSA employee or subcontractor and subsequently discovered by the perpetrator.

So the infamous hack looks like it was not a hack at all. The most likely explanation is that the act was a veiled threat by Russia to lay off further actions against it over the much-publicized hacks of several Democratic Party organizations. The implication being that the network serving up the malware could be identified, which could severely embarrass the US should they be linked to actions against allies.

Probably the most shocking aspect of the entire affair is the realization that the NSA “good guys” are happy to uncover vulnerabilities but not inform the equipment manufacturer. Just like any black hat hackers, they utilize the information to develop exploits. The most infamous exploit attributed to that group.

The target equipment is major league serious network components used in government networks, large corporations and their like – routers and firewalls manufactured by major American and Chinese vendors such as, Cisco, Juniper Networks, and Fortinet. Seemingly the material consisted of exploits (tools), command-and-control server configurations and installation scripts. Substantially different from the more commonplace malware site drive-by infection that dumps criminalware on the computers of unsuspecting visitors. Some sources believe that the exploits, numbering about ten apparently, were supplied to the NSA by a cyber espionage organization called the Equation Group, who were also linked to the computer worm, Stuxnet.

It is not only the NSA that suffered a significant credibility setback. One can only imagine the reactions of the top brass of the equipment manufacturers that were impacted. In the highly competitive world of international equipment, the perception of buying a totally secure network is paramount. Suddenly, the Cisco salesman or OEM may be asked if the equipment can be guaranteed to be completely secure, or does the US Government effectively own the keys to a back door?

Why is a well-known exploit kit that hit the headlines back in 2010 still just as deadly as we head into 2017? Spotify users were the latest victims of the Blackhole Exploit Kit. The ads that help pay for the free version of Spotify are delivered by third party ad servers. So are the majority of online ads these days. One of the ads took users to a malware infection website where the exploit kit was activated to contaminate users’ Windows computers.

Exploit kits are software toolkits designed to be installed on web servers. They utilize scripts to detect vulnerabilities in software installed on the computer that visitors use to navigate to a site that is served up by the malignant web server. Users do not even have to click on the infected ad – it is enough for the ad’s code to be downloaded to the user’s browser. Typically, exploit kits are classified as criminalware and are mostly targeted at Windows users and platforms. The objective is to potentially download a whole range of malware agents from key loggers to online banking Trojans. The best defense against this type of attack is simply to keep your anti-malware software up to date.

Assuming that the bulk of tech-savvy online users do just that, there is a very obvious reason why the criminals behind the Spotify attack invested time and money (presumably) in setting up the malignant ad. There is a substantially large number of users who don’t understand the nature of the hostile online world and are blissfully unaware of the critical need for security software on their devices. That is why what should be a relatively obscure exploit kit from seven years ago is still worth persisting with today.

So how exactly do these exploit kits work?

First of all, it’s important to realize that the majority of malware sites are regular sites that have been hacked and infected. That makes it impossible for you or anybody to know they are on a “bad” site without the aid of a security tool to launch an instant alert. Exploit kits very quickly test a user’s complete environment. That includes OS, browser, installed applications, security settings and systems. It takes less than a second for the complete operation of discovering a vulnerability and downloading the payload of malware. This article explains the infection process very well.

There are many exploit kits available to purchase. Perhaps the most worrying category is the Zero Day kits. Whilst browser and application vendors are constantly watching for and testing for potential vulnerabilities, there is an inevitable delay between warning users about the risk and having those users apply the required patch. Zero Day exploits become available immediately, hence the zero tag in the name. They can be deployed by hackers long before a segment of the user community gets around to patching the vulnerability.

If you want to delve deeper into the technology and ever-evolving incarnations of exploit kits, visit malware-traffic-analysis where Brad maintains a blog that records new discoveries on an almost daily basis. The blog at commercial protection vendor MalwareBytes provides a less techie and more high level discussion of current exploits, trends and observations.