Imagine sometime in the not-too-distant future when you settle down to watch your favourite TV show, and suddenly the electricity goes off. Unless you’re in a country where outages are the norm, you may think, “That’s unusual,” and simply wait a few moments for the power to return. But it does not. Later, you discover that the National Grid was hacked in a series of cyberattacks, and the whole country’s network has been brought down. Sounds a bit far-fetched? Don’t you believe it…
If, as a leader, you’re not in a state of high alert over cybersecurity threats – eg, cyberattacks and cyber warfare – then you haven’t been paying nearly enough attention. Evidence is mounting that bosses who’ve stashed cybersecurity somewhere near the bottom of their priorities lists urgently need to wake up and smell the gigabytes.
It’s an inescapable fact that technology is becoming more and more intrinsic to our daily lives – whether it’s building up basic health records from our strolls or jogs via apps on our smartphones, or monitoring our physiques in more sophisticated ways via specialist fitness watches. It also sits right in front of us for the greater part of the waking week, as the PCs and Macs on which we chew through our workloads.
But when it comes to cyberattacks, these machines are not just windows for us to look in on the digital world. They are also potential points for unseen strangers – perhaps half a world away – to look out. And the dangers of that dynamic have been brought home in a chilling, recent experiment carried out at Israel’s Ben Gurion University (BGU).
Drive to destruction?
In a feasibility test designed to pre-empt the thinking of malicious hackers, scientists in BGU’s Cybersecurity Research Center created a piece of malware called ‘Speak(e)ar’, which converts the audio jack port on a standard, desktop computer into a mic jack. The result: earphones can be instantly transformed into microphones – or perhaps more accurately, bugs – with the capacity to pick up anything from background banter in the workplace all the way up to much more sensitive talks with competitive dimensions.
BGU is not the only research house that’s been exploring what sort of mischief hackers might be tempted to pull as their ambitions flourish. Another is professional security consultancy IOActive. Back in the summer, the firm’s senior security consultant Corey Thuen issued a hard-hitting report which identified a number of weaknesses that hackers could exploit in cyberattacks designed to take partial or full control of connected cars. Among the entry points that the report disclosed were:
- Cellular radio
- Onboard diagnostic software
- Companion apps, and
- Infotainment media
Thuen’s people drew up a set of ‘impact scores’ for the vulnerabilities they spotted. These were put into five categories: Critical – ‘Knowledge of the vulnerability and its exploitation are in the public domain’; High – ‘Relatively easy for a hacker to exploit with little skill’; Medium – ‘An expert hacker could exploit without much difficulty’; plus Low and Informational. Across their pool of test vehicles – supplied by several carmakers under strict conditions of anonymity – the firm found that 73% of them were at risk from either Critical, High or Medium vulnerabilities.
IOActive has form on this front. Last year, the firm reported on a landmark study outlining how two in-house hacker/researchers were able to stop the engine of a technology-laden, 2014 Jeep Cherokee while it was in motion on a US Interstate highway. That was after they’d already played havoc with various accoutrements, such as the air conditioning, radio and windscreen wipers. In the driving seat at the time was an intrepid guinea pig – tech writer Andy Greenberg – who later described in a WIRED feature how the experiment had “ceased to be fun” once his accelerator had stopped working, leaving the Jeep “paralysed”.
In its report, IOActive concluded: “This remote attack could be performed against vehicles located anywhere in the US and requires no modifications to the vehicle or physical interaction by the attacker or driver. As a result of the remote attack, physical systems such as steering and braking are affected.” The report forced Chrysler to recall a whopping 1.4 million vehicles. And you know how I feel about THAT sort of thing.
It doesn’t take a huge leap of imagination to think that a regimented hacking group could readily hold a global manufacturer to ransom with threats to mount cyberattacks designed to sabotage, or disable, any vehicles it operates under a common, connected network. That’s the ultimate implication of the reports I’ve highlighted. But this type of risk isn’t restricted to cars. In fact, it may even be poised to hover right over you.
On 29 November, cybersecurity experts McAfee Labs and Intel released their joint 2017 Threat Predictions Report, which forecasts a boom in drone use over the coming year. But that boom is likely to come with malware strings attached. “We predict in 2017 that drone-exploit toolkits will find their ways to the dark corners of the internet,” says the report. “Once these toolkits start making the rounds, it is just a matter of time before we see stories of hijacked drones showing up in the evening news.”
‘Dronejacking’, the report notes, could harm organisations in a variety of sectors:
- Delivery Customers of firms such as Amazon, UPS and Dominos, who plan to make increasing use of drones over the next few years, could find that their orders go astray in the wake of hacks.
- Media Filming crews who use camera-mounted drones to cover large-scale, public events could suffer from broadcast blackouts or interruptions as the devices are interfered with, re-routed or downed.
- Law enforcement Police and security agencies that are likely to make drones more central to crowd-control operations could be frustrated in their efforts if criminal hacking gangs wrest control of the machines.
But all those threats – bugged computers, hackable cars and derailed drones – pale into insignificance compared to the spectre of state-backed cyberattacks… more commonly known as cyber warfare. Without doubt, the incident that put the issue firmly on the map and rooted it in the public consciousness was the large-scale email hack carried out against Sony Pictures in November 2014.
What began as an embarrassing series of leaks exposing views that studio bosses held on key actors and directors (sparking the resignation of co-chair Amy Pascal) quickly ballooned into a far darker crisis. Three weeks after the initial cyberattacks, the ringleaders – who identified themselves as the Guardians of Peace (GoP) – hit Sony with an ultimatum over upcoming Seth Rogen film The Interview, a garish satire about North Korean politics that climaxed with the assassination of supreme leader Kim Jong-un. Cancel the release, said the GoP, or there will be terrorist strikes against US cinemas. Sony promptly issued the film in straight-to-digital format. A CIA probe showed that the GoP were likely based in North Korea.
This was an unprecedented instance of state-to-corporation cyber warfare that opened up huge concerns over global relations and US national security. And in the run up to the recent US Presidential election, the same, digital beast reared its head once more when the Obama administration formally accused Russia of state-sponsored cyberattacks designed to affect the poll. With the US election now firmly in the rear-view mirror, the creature of cyber warfare still looms large: Germany has announced that it is likely to be the target of a Russian hacking spree ahead of its General Election next spring, in which Angela Merkel will attempt to win another term. And just last week, a top-level CIA report on Russian hacking against the US added credence to those suspicions that Putin had attempted to tip the election in Trump’s favour.
What leaders must do
We’ve covered an escalating scale of potential problems, here, and there are clearly areas of the cyberattacks maze that are best navigated by national intelligence and enforcement agencies. But in a climate where not even the competitive advantage of a corporation is immune from the threat of cyber warfare, it is vital for leaders of private and public bodies alike to settle for nothing less than the most airtight and ironclad cybersecurity policies.
Seek out high-quality experts. Pin down the solution that fits best with your firm, even if that means it’s bespoke. And don’t cut corners: do all you can to stay cyber-safe.
Image of drone courtesy of fill, via Pixabay