1 of 29

How do you hack an aquarium?

Security issues of IoT– ECER 2022

Peter Pistek

Senior researcher @ KInIT

Kempelen Institute of Intelligent Technologies

2 of 29

Outline

  • Introduction
  • Aquarium and other hacks
  • Best practices in software security
  • Network attacks and their detection

2

Kempelen Institute of Intelligent Technologies

3 of 29

Introduction

  • Independent, non-profit research institute
  • Topics
    • Web and user data processing
    • Natural language processing
    • Data analysis for green energy
    • Information security
    • Ethics and human values in intelligent technologies
  • Senior researcher @ KInIT

3

Kempelen Institute of Intelligent Technologies

4 of 29

Aquarium and other cases

Source: scmagazine.com

5 of 29

Irresponsible Fishes = Unsecured Aquarium [2017]

  • North American casino
  • Nice high-tech aquarium with smart thermostat
    • Remotely set
    • Monitoring temperature
    • Unsecured
  • 10 GB of data sent to IPs in Finland
    • By thermostat

5

https://www.securityweek.com/hacked-smart-fish-tank-exfiltrated-data-rare-external-destination

https://www.hackread.com/hackers-casinos-fish-tank-smart-thermometer-hack/

Source: Tripadvisor

Kempelen Institute of Intelligent Technologies

6 of 29

I want to sleep - Hotel [2017]

  • Romantik Seehotel Jaegerwirt (near Turrachsee)
  • Controls of locks on guest rooms were taken over
  • Couldn’t re-enter

6

https://www.wired.co.uk/article/austria-hotel-ransomware-true-doors-lock-hackers

Source: www.seehotel-jaegerwirt.at

Kempelen Institute of Intelligent Technologies

7 of 29

How much insulin is enough? [2019]

  • For delivering insulin to diabetic patients
  • Wireless remote controller
    • Start/stop/change amount of insulin
    • Replay attack
  • Hypoglycemia / ketoacidosis / death
  • ~32,000 vulnerable pumps

7

https://www.securityweek.com/some-medtronic-insulin-pumps-vulnerable-hacker-attacks

Source: securityweek.com

Kempelen Institute of Intelligent Technologies

8 of 29

Keep calm and meditate? [2017]

  • Pacemaker vulnerability (MedSec)
  • Consequences
    • Drain battery life,
    • Change programmed settings
    • Change beats and rhythm of the device
  • Firmware update
    • Users need to go to hospital
    • Considering updating (risks)
  • ~465,000 vulnerable devices

8

Source: news-medical.com

https://www.zdnet.com/article/fda-forces-st-jude-pacemaker-recall-to-patch-security-vulnerabilities/

Kempelen Institute of Intelligent Technologies

9 of 29

I don’t give you your drugs, but I may run over you [2022]

  • Medical robots – advanced “Roombas”
  • 5 vulnerabilities
    • Taking photos
    • Snooping via camera feeds
    • Accessing patient records
    • Disrupt / block drug delivery
    • Crash into objects / people = harassing robots

9

https://www.zdnet.com/article/critical-vulnerabilities-uncovered-in-medical-robots/

Source: wsj.net

Kempelen Institute of Intelligent Technologies

10 of 29

Hurrying somewhere? Just take a break [2019]

  • Xiaomi M365 electric scooter
  • Password validated on the application side
    • Scooter does not monitor authentication state
    • All commands could be executed without the password
  • Vehicles up to 100m could be exploited
  • Affected systems
    • Anti-theft mechanism
    • Breaking and acceleration system
    • Groundwork for install a new malicious firmware == take full control

10

Source: mi.com

https://www.zdnet.com/article/xiaomi-electric-scooters-vulnerable-to-remote-hijacking/

Kempelen Institute of Intelligent Technologies

11 of 29

Would you like a glass of poison ehm water [2021]

  • In USA
  • NaOH
  • Remotely gained access
    • Via TeamViewer
  • Increase concentration from 100ppm to 11,100ppm(danger dose)

11

https://www.bleepingcomputer.com/news/security/hackers-tried-poisoning-town-after-breaching-its-water-facility/

Source:bleepingcomputer.com

Kempelen Institute of Intelligent Technologies

12 of 29

Distance is not a problem [2022]

  • Viasat satellites – KA-SAT network
  • Breach of management network
    • Commands to overwrite the modems’ flash memory
  • 30,000 modems have to be changed
  • Viper AcidRain
    • Big similarities with VPNFilter (contributed to Sandworm – GRU)

12

https://www.bleepingcomputer.com/news/security/viasat-shares-details-on-ka-sat-satellite-service-cyberattack/

Source: guidehouseinsights.com

Kempelen Institute of Intelligent Technologies

13 of 29

Similarities between these attacks

  • I use <this> module it will be OK
  • I use <this> shortcut no one will know
  • <This> password is strong enough
  • Look a mail with cute kitties
  • <It> is easy, I do it by myself
  • Cybercrime does not affect us

13

Kempelen Institute of Intelligent Technologies

14 of 29

Questions

15 of 29

Are you using wireless connection?

16 of 29

Are you using wire to connect to your robot?

17 of 29

Do you use any type of security?

18 of 29

Best practices in software security

19 of 29

Best practices

  • You can be a target for cybercriminals
  • Patching, checking configuration
  • Change default password / credentials
    • Use MFA
    • Password managers
  • Up-to date encryption libraries

19

  • Disable RDP (close ports)
  • Audit logs
  • Be aware of phishing
  • Backups

Kempelen Institute of Intelligent Technologies

20 of 29

Network attacks

21 of 29

Types of attacks

  • Probe / Information Gathering
  • Remote to Local
  • User to Root
  • Denial of service / Flooding attacks

21

Kempelen Institute of Intelligent Technologies

22 of 29

Features

  • Packets / Flows
  • Sampling
  • “Who is communicating with whom”
  • Additional statistics (e.g., means)
  • Lots of useful data
  • Label / Category

22

Kempelen Institute of Intelligent Technologies

23 of 29

Challenges

  • Type of an attack
  • False positives / False negatives
  • Known / zero-day attacks
  • What is “normal behavior”?

23

Source: 9gag.com

Kempelen Institute of Intelligent Technologies

24 of 29

Supervised learning

  • Labeled data – “previous experience”
    • Algorithm needs to know the right answer
    • Challenging
  • Classification & Regression
  • Helps to solve well-defined problems
  • Training takes a lot of time

24

Source: neurospace.io

Kempelen Institute of Intelligent Technologies

25 of 29

Unsupervised learning

  • Unlabeled data
  • Clustering, association & dimensionality reduction
  • Find the hidden structure in unlabeled data
    • Outliers, anomalies
  • Computationally complex
  • Less accurate
  • jovian.ai

25

Source: youtube.com

Source: towardsdatascience.com

Kempelen Institute of Intelligent Technologies

26 of 29

Real-world situation

  • Well-known attacks
    • Supervised learning
  • New types of attacks
    • Unsupervised learning
  • False positives as low as possible

26

Kempelen Institute of Intelligent Technologies

27 of 29

Real-world situation

27

Classification

Anomaly detection

Traffic

Traffic without well-known attacks

Benign traffic

Well-known attacks

Anomalies

Kempelen Institute of Intelligent Technologies

28 of 29

Conclusion

  • Existing attacks
    • How to avoid them
  • Research example
    • Network attack detector
  • Security is important
    • Don’t be a victim
    • Don’t be a weapon

28

Kempelen Institute of Intelligent Technologies

29 of 29

Nivy Tower

Mlynské Nivy II. 18890/5

811 09 Bratislava

Slovakia

www.kinit.sk

/kinit.sk

/company/kempelen-institute-of-intelligent-technologies/

/KInIT_sk