Prediction 1: Someone Will Hack a Light Switch to Burglarize a Home

Blue canary in the outlet by the light switch

Who watches over you

Make a little birdhouse in your soul

– “Birdhouse in Your Soul” by They Might Be Giants

Smart homes are great. Who wouldn’t want to stop carrying around a bunch of keys, or be able to open your door remotely for a delivery, or adjust your thermostat automatically for optimal cooling and efficiency? In the multifamily housing industry (apartments and condos) especially, smart home/connected home technology is a great differentiator in a crowded market.

However, the issue here is the Internet of Things (IoT) security. Yearly at the DEF CON hacking conference in Las Vegas, they “hack all the things,” such as Bluetooth wireless speakers and smart thermostats. The process is generally to open the device’s housing, solder some wires onto a serial port, and drop into an administrative interface to make changes. Such attacks most often require physical access to the device to tamper it. Much scarier attacks are those that can be performed remotely – over the network. Imagine if you could cause a microwave oven to turn on and start sparking up the kitchen!

So, who cares if someone exploits a light switch, you say? Ever hear of the term “lateral privilege escalation”? That’s when an attacker exploits a low-integrity device to compromise high-integrity devices that are interconnected in the same smart home.

Many of these smart home systems have a “hub” and central data repository that, if compromised, provides hackers the ability to access all devices in the home. It works like this: the attacker goes after a sprinkler or a third-party lighting app that has insufficient authentication, and then pivots from there to modify a data store variable for another high-integrity product, such as the security alarm. Researchers at William & Mary have already shown how they could trick the NEST smart home system into thinking the owner was home when he wasn’t, thereby disabling his security camera.

Smart home technology firms – including HP, Samsung, and Centrica Hive – have signed up for the UK government’s voluntary security guidelines for IoT consumer devices. However, these guidelines are just a start. The issue with many of these vendors is that they do not have a uniform approach to security in their suite of products. They tend to acquire numerous technologies and products over time, and each of these was developed by a different vendor with a different security approach. Just managing something as simple (ha!) as a PKI certificate solution for these devices is often difficult and deeply flawed.

So, in 2019, I believe we will begin to see a lot more stories of homes and businesses being looted due to flaws in burglar alarms, keyless entry, and yes… light switches.

IoT Security

Abacode advises on IoT security through product design reviews, hardware penetration testing, and implementation of custom PKI solutions. Through our partnership with Occam Technology Group, Abacode has advised on embedding security into new start medical devices, not to mention smart home/connected home systems. We currently have ethical hacking experts standing by both in the US and UK to advise on best practices for embedded device security.

Prediction 2: Attackers Will Take Down the Global Supply Chain

Webster: Every oil pump in America is run by…
Gorman: Computers. I know.
Webster: Will you stop interrupting?!
Gorman: I’m sorry.
Webster: You will command the pumps to stop pumping. Then I want you to program one special command…
Gorman: Into all these systems.
Webster: Tell them these orders are irreversible. So, it would be impossible for anybody to switch them back. Can you do this for me, old buddy? Old pal?

– Superman III (1983)

A couple years ago, attackers were thinking about stealing credit card data. Now, they are looking at things like taking down manufacturing plants and affecting global shipping lines. We have seen this coming for some time – well, at least in the movies.

In the 1983 movie Superman III, programming savant Gus Gorman introduced us to the “salami slicing” attack (to be replayed in 1999’s Office Space), in which the hacker gets rich by embezzling a few fractions of a cent at a time so that no one notices. However, Gorman also did something much more nefarious – he created a virtual oil embargo by reprogramming all oil tankers to sail to the middle of the Atlantic Ocean. Ultimately, Superman overcame a split personality induced by synthetic kryptonite to beat Gorman’s supercomputer.

In 1995’s Hackers, Eugene “The Plague” Belford also took advantage of autonomous systems to attempt to steal from Ellingson Mineral Company. Although ostensibly Ellington’s CISO, Belford anonymously threatened to capsize the Ellingson tanker fleet with his “Da Vinci” virus – which, of course, was just a red herring for his own worm designed to steal funds from Ellingson’s “Gibson” supercomputer. When CEO Duke Ellingson asked why they didn’t just put the ships’ ballasts under manual control, Belford tells him, “There’s no such thing anymore, Duke. These ships are totally computerized.” Fortunately, however, aspiring hacker Joey stole a garbage file that ultimately implicates Belford.

In 2018, within weeks of each other, attackers hit the Port of Barcelona and the Port of San Diego. A wayward drone took down operations at Gatwick Airport for two days. Maersk and COSCO have been ransomware victims.

We have, in the past, heard about malware getting into systems via all of the following:

Software supply-chain attacks involving a Trojan horse inserted in otherwise legitimate software

Public-facing Remote Desktop Protocol (RDP)

USB flash drives

Coffee machines in the breakroom

The bottom line is, we are seeing a lot of attacks specifically targeting ships, terminals, and ports – not to mention manufactories, warehouses, and Industrial Controls Systems (ICS). That means an interruption to global shipment of materials and goods. And we may not have Superman or a lucky script kiddy around to save the day.

Managed Threat Detection & Response

Given that people inevitably make mistakes in implementing and operating systems, and given that no security prevention is 100% effective, you need constant vigilance. Abacode operates Security Operations Centers 24/7/365 to ensure that someone is always watching your internal network and cloud operations for indicators of compromise. We use leading-edge solutions such as Alien Vault USM Anywhere™ to gain visibility to both on-premises and cloud-based threats. When we detect a potential incident, we immediately respond and help contain and remediate the issue.

Prediction 3: We Will See a Convergence of Cybercrime and Physical Crime

“In the United States, the Mafia makes witnesses disappear so they can’t testify in court. In Colombia, Pablo Escobar made the whole court disappear.”.
Webster: Tell them these orders are irreversible. So, it would be impossible for anybody to switch them back. Can you do this for me, old buddy? Old pal?

– Steve Murphy in Narcos

In many ways, we have seen physical crime decrease in past years. While there have been several well-publicized mass shootings, in fact, gun violence is actually down overall. In addition, the rate of overall property crime and burglary declined about 10% from 2016-2017. I have been saying for a while that cybercrime is potentially much more dangerous and widespread than physical crime. For example, if I knew how to hotwire a car, I could maybe teach one or two others at a time how to do this. The propagation rate of this knowledge is fairly limited (even though nowadays you could maybe watch how to do it on WikiHow or YouTube). In addition, you must be physically present at the crime scene, and with modern forensic techniques, you would be hard-pressed not to leave any DNA evidence around.

So, cybercrime is much more attractive for several reasons, namely:

• Its effects are more far-reaching. That is, I could rob one bank branch at a time with a gun; but with a computer, I might be able to break into several at once.
• I don’t have to put my butt on the line. Computer crime can take place from anywhere on the Internet, where perception is easily manipulated. For example, I could proxy in through a site in another country and make it seem as if the attack is coming from there.

Organized crime has seen a hit to revenues due to the extensive (mostly legal) availability of marijuana and the decline in cocaine and heroin use (due to the wide availability of prescription opiates). The New York mafia, for example, is now mostly into construction, extortion, and protection rackets. In many cases, we have seen organized crime delve into cybersecurity schemes, such as botnets, ransomware, and so forth. In fact, this FUD is predicted by the Herjavec Group’s 2019 Official Annual Cybercrime Report to hit $6 trillion in damages by 2021.

But what if someone were able to combine cybercrime with a physical crime?

Imagine this scenario: an organized crime group hacks into the system of a company that manages the wealth portfolios of high net worth individuals. First, the attackers snoop about and collect data that they can use to steal funds or extort the victims, perhaps by doxing them (e.g., publishing all their personal and net worth info publicly).

If none of that works, the crime syndicate now adds a new wrinkle: use the victim’s personally identifiable information to send Rocco to pay them a visit in the physical world. Either shake them down, kidnap a family member, or otherwise intimidate them into paying some ransom.

Privacy and anonymity are the new currency of our era. Protecting these at all costs is a part of doing business.

Social Media & Web Reputation Protection

We have some dire 2019 predictions here, but fortunately, help is available. Abacode, along with our partners at ZeroFOX, will ensure that someone is always watching your social media/Web presence for risks. When we detect a potential incident, we immediately respond and help contain and remediate the issue. We have your back in 2019 and beyond.

Meet the Author

Jeremy Rasmussen
CTO & CISO

Jeremy Rasmussen is Chief Technology Officer of Abacode, a Tampa-based company that provides managed cybersecurity services to growing businesses across all industries. Abacode employs global thought leaders and industry experts in ethical hacking, corporate governance, and incident response to provide its clients with a holistic view of cybersecurity. He is also an adjunct professor at the University of South Florida and founder of the USF Whitehatters Computer Security Club (WCSC). Since 2000, he has taught USF courses in cryptography and network security, ethical hacking, digital forensics & investigations, and mobile & wireless security. He has more than 25 years of experience in performing R&D and developing cybersecurity solutions for government and commercial customers. Jeremy is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Project Management Professional (PMP). He was named the 2017 Tampa Bay Technology Leader of the Year.