In the past if a Utility(like electric or water) were manufacturing a network of power or water meters each meter would not just be connected to an individual house, they would also be wired to each other. Now that we are able to connect computers efficiently via radio frequencies(i.e through WiFi) we can cut these wires between each Smart meter. The advantage of the wired network for the Utility was that the communication would not be tampered with unless an attacker physically tapped into the wires. An attack that would be very noticeable. As such an attack was rare the Utility could make the risk assessment that says encryption was unnecessary on the network. Essentially since the machine(power meter) was talking to a machine(Electric company server) why add "useless" security measures?
Machine to machine(M2M) communication is actually a service offered by Mobile Phone Carriers. In M2M, a Smart "Thing" gets its own SIM card or mobile phone account so that it can talk back to its server over a mobile phone network. The most common system using M2M one might see would be the telematics system in their car(e.g. GM OnStar, Chevrolet MyLink). While these systems which turn your car into a Smart "Thing" have better security than the majority of other "Things", they still have vulnerabilities and have faced scrutiny from security researchers[CAESS, Bailey/Solnick, Valasek/Miller].
How do Attackers look at the Internet of Things(IoT)?
M2M and the Internet of Things are not as well documented as desktop PCs or Mobile phones. Any device(e.g. Smart watches, Smart fitness sensors, etc.) that connects to the Internet is open to interest from attackers. One's data has value and Smart sensors collect a large amount of personal data, more than enough to attract attackers out to make money by using or reselling that data.
An attacker looking at a target "Thing" would need to perform reconnaissance on a device and the network to which it belongs. In the case of a power meter, they would acquire a meter(legally through surplus sales, or illegally through theft). Legitimate security researchers solely utilize legal means, perhaps photographing markings, stickers and anything visible on a meter in the wild.
OSINT(Open Source Intelligence)
When assessing a target one of the first steps involves gathering as much research on the public facing and accessible portions. For many corporate and most government targets, one would think that all relevant information is proprietary or highly classified. It turns out that this is not the case. One can find out quite a bit from open sources. These are public and commercial databases, newspapers, trade publications, patents, etc. Some experts on covert intelligence say that up to 80% of the information they gather can be obtained from these open sources.
The attacker's next step after acquiring images of the target meter is to source information based off of any text, serial numbers or other information. Google is useful for using these details to get pointers to even more detail.
The meter may consist of or be entirely patented. While a patent prevents competitors from selling one's technology, that security is in exchange for providing a method to replicate an invention. The attacker can locate the relevant patents and find out how the meter is put together.
The attacker would also like to scan and map out the target network. A wireless meter is useless if it can't connect back to a Utility company or get any new commands. As the Smart Meter connects to the Internet, the attacker can search open records for IP addresses affiliated with the company. They may also search for publicly accessible management interfaces.
Next steps would utilize separate attacks against the components of the network; pen testing the web interface/management console, reverse engineering of the meter hardware, cryptanalysis of any encryption used in communication and more.
Theoretically these are methods that an attacker or researcher would use, but it's easier to explain when there is a real target.
Solar Powered Parking Meters - An IoT thought experiment
A few years ago I and a couple of colleagues took a look at what we called "Solar Powered Parking Meters". These were a series of smart Parking Meters that had built in conspicuous solar panels. The panels were the primary source of power with battery backup.
We had been influenced by prior research[Grand] on Smart Parking meters from a different manufacturer. Those researchers had acquired parking meters second hand through eBay and never agreed to any additional licenses from the manufacturer. As the meters we were interested in were only available through the manufacturer, we consulted with Attorneys on how far we could proceed. Per their advice, purchasing a parking meter from the manufacturer would restrict our research efforts, so we confined our efforts to researching open sources. This limited our assessment to a thought experiment(real attackers would of course not be so restricted).
A majority of the information I attained was presented to a local computer user group. The slides are available on Slideshare.
Simply through particular Google searches, I was able to source:
- profits made per meter
- name of senior engineers
- information on how the meters process Credit Cards transactions(PCI compliant?)
- how Coins are collected
- the type of information stored on the meters(e.g. private, financial, etc.)
- mockups of the parking meter management console
- likely provider of the M2M SIM cards
All that was obtained via news articles, patents, brochures, and searches of the manufacturer's site. Nothing anyone would consider secret or even "obscure". An attacker unencumbered by laws could easily find the same information and continue on to infiltrate a target network.
Internet of Things - Sufficiently secure?
Attackers will always have an advantage on a new platform if security is not included in the production of new devices. We already do so with mobile phones and devices. It would be a mistake for us to neglect securing these new "Things".
