Weaponising the internet – the rise of physical cyber attacks

Computer hackers leak confidential information; destroy reputations and steal corporate secrets. But cyber attacks are increasingly able to interact with the real world and cause physical harm to people and infrastructure. In July, Chrysler recalled 1.4 million cars when it was discovered that it is possible to remotely disable the ignition and the brakes of recent Jeep Cherokees.

Information weaponAt a time when there is no shortage of states and individuals looking to cause maximum destruction, CIA chief Leon Panetta's warned that the "next Pearl Harbour could be a cyber attack.”

Users who have registered (for free) can click here to read an accompanying article on the Cyber insurance industry.

"The capability for physical destruction is there and the capability of relaying false information or false instructions is there," says EJ Hilbert, managing director and head of cyber investigations at Kroll. "I used to say you can do anything in cyber except commit murder, and then I found out a lot of pacemakers are wirelessly connected."

"How about turning on the heat of your house so it overheats the boiler until it explodes? Or instructing your car that it doesn't have gas?" he asked in a May interview. "Imagine if you could remotely just shut somebody's car off on a freeway during rush hour? It's those types of situations that are very likely when you have a connected world that does not consider building security at the outset."

The rest of this article looks at four recent cases of cyber attacks that have shown the potential to cause widespread physical damage. So far, perpetrators of cyber attacks have gone to great lengths to target very specific assets, but the next wave of attacks might take the easier route of causing much more widespread mayhem.

2010: Iranian centrifuges

The Stuxnet computer worm targeted the centrifuges used in secret Iranian industrial facilities in 2010 and was described as one of the “most refined pieces of malware ever discovered”. Centrifuges are used to enrich uranium for the production of atomic weapons.

Stuxnet showed for the first time that a cyber attack could cause significant physical damage to a facility. Stuxnet infected computers around the world but was inert on all computers except for those running a type of Siemens software that is used to control very specific industrial processes. On these machines, it was able to speed up and slow down centrifuges to damage or destroy them.

While information on the actual damage caused has not been easy to confirm, it is understood that 1,000 to 2,000 centrifuges were removed from Natanz nuclear facility. Iran's president Mahmoud Ahmadinejad played down the level of damage but the US government maintained that the cyber attack had set back the Iranian nuclear programme by several years.

The complexity of the attack led many commentators to conclude that the perpetrators must have been some kind of government agency.

2014: German steel mill hack

Around the time of the hack of Sony Pictures Entertainment in November 2014, another major incident occurred that was relatively overlooked by the media. In December, it emerged that a blast furnace at a German steel mill had suffered "massive damage" following a cyber attack at the plant's network.

Attackers had used booby-trapped emails to steal logins that gave them access to the mill's control systems, according to the annual report of the German Federal Office for Information Security (BSI). The intrusion led to parts of the plant failing, meaning that the blast furnace could not be shut down as normal, resulting in significant damage.

“The know-how of the attacker was very pronounced not only in conventional IT security but extended to detailed knowledge of applied industrial controls and production processes,” the report says. Given the commonality between many of the SCADA (supervisory control and data acquisition) systems used by utility firms, there is concern that in the future, multiple simultaneous attacks could occur.

"The report doesn’t name the plant or indicate when the breach first occurred or how long the hackers were in the network before the destruction occurred," writes Kim Zetter at Wired. "It’s also unclear if the attackers intended to cause the physical destruction or if this was simply collateral damage."

"The incident underscores, however, what experts have been warning about in the wake of Stuxnet: although that nation-state digital weapon had been expertly designed to avoid collateral damage, not all intrusions into critical infrastructure are likely to be as careful or as well-designed as Stuxnet, so damage may occur even when the hackers never intend it."

2015:Passenger plane hack

In May 2015, it emerged that an airline passenger may have successfully hacked into over a dozen commercial flights, including sending commands to a jet engine in midair. Computer security expert Chris Roberts, allegedly hacked into a plane's in-flight entertainment system whilst on board and was able to get the plane to climb and move sideways. He bragged about his ability to take control of the jet on social media, alerting the authorities.

It is reported that Roberts had used a simple plug, installed under the seats of many commercial airlines, to tap into the systems up to 20 times since 2011. While his intentions did not appear to be malicious, his ability to exploit on-board weaknesses highlights the potential for more sinister hacks in the future if such vulnerabilities are not tackled.

The FBI, which is investigating the hacks amid concerns over the safety and cyber security of passenger aircraft, has also voiced its concern over the future potential for driverless cars to be hacked and used as weapons. Meanwhile, United Airlines is offering free air miles to hackers who are able to expose security flaws in its systems.

2015: Jeep Cherokee hack

On July 21 2015 ,a journalist in Wired magazine revealed that a pair of hackers had successfully demonstrated that they could remotely control a Jeep Cherokee while it was being driven on a highway by turning down the AC, turning up the radio and turning off the ignition. Later, in a parking lot, they showed that they could disable the brakes and control the steering wheel (at least while the car was in reverse).

The hackers had used a cell phone in another part of the country to access the car's entertainment system and then take over saftey-critical systems. The hackers in question, never intended to hack anything other than their own car. But they clearly demonstrated the potential for more nefarious hackers to cause serious damage to cars and drivers around the world. Three days after the article was published, Chrysler recalled 1.4 million cars, including models from their Chrysler, Dodge, Jeep and Ram ranges.

Although this demonstration exploited a particular weakness in a particular model of car, pressure to build connected features in cars is going to continue to create vulnerabilities. “They’re getting worse faster than they’re getting better,” said one of the hackers. “If it takes a year to introduce a new hackable feature, then it takes them four to five years to protect it.”

Users who have registered (for free) can click here to read an accompanying article on the Cyber insurance industry.

Posted: Monday, August 3rd, 2015