Wireless IoT; zero-day vulnerabilities

Case study: Discover and manage zero-day vulnerabilities

In a city or company infrastructure, the IoT attack surface includes all possible security vulnerabilities of connected devices, applications, and networks.

At first sight, an IP camera may seem harmless from a security point of view. However, particularly when connected to an IoT network, it may become an attractive target for a cyber criminal for three main reasons.

First is about privacy: the hacker may be interested in acquiring and analyzing live images of people living or moving in a certain area to learn their habits and behaviors, or get personal sensitive information (faces, car license plates, etc.). Secondly, the violation may grant visibility on the infrastructure to which the camera is connected and pave the way to a network attack. Last but foremost, the breach may also lead to the exploitation of its computational power for crypto mining, or as a node of a command-and-control network called botnet.

During a routine security assessment on the IoT network of a customer, our cyber security team detected a newly installed device, specifically an IP camera. A research activity was run to assess if the camera could be considered secure enough for being used and exposed on a public network. The team discovered two zero-day vulnerabilities: as these software vulnerabilities are typically found by researchers or potential attackers before the vendor becomes aware of them, no patches are available for their resolution.

Discovering a zero-day vulnerability requires the adoption of an evil mindset and the expertise to ask the right questions: how many devices offer an attack surface? How deeply is the situation analyzed from the attacker's perspective? To answer these questions as exhaustively as possible, our cyber security experts leverage a methodological process that is part of the company's cyber security framework.

The analysis confirmed it was not secure to publicly expose the IP camera. The customer was given a detailed view of the risk the company was running. The first vulnerability would have allowed an unprivileged user to create a valid account to access all IP camera commands without being authorized. The second vulnerability was related to the passwords of the IP camera users. By reverse engineering the source code publicly available, it would have been possible to discover the salt used in the hash function which stores user passwords.

Two different solutions were suggested: remove the camera and replace it with a more secure product or install a firewall to limit the access to known IP addresses. The customer agreed to remove the IP camera to avoid any possible issue and restore the overall security level.

 

Is your IoT infrastructure secure enough? Learn more about our Cyber Security Services and contact our experts to have all your questions answered!


cybercriminals

When a city is held hostage – podcast

Cybersecurity threats are on the rise and ransomware is the prime threat for private companies and public bodies, says latest ENISA Threat Landscape report by the European Union Agency for Cybersecurity.

Cybercriminals are increasingly motivated by the monetization of their activities, and their attacks are growing in terms of sophistication, complexity, and impact due to our massive online presence, the transition of traditional infrastructures towards digital solutions, advanced interconnectivity of systems, and the exploitation of new features of emerging technologies.

Ransomware and cryptojacking are the techniques that money-oriented attackers use more frequently, and cryptocurrency remains their most common pay-out method. Without surprise, ENISA highlights supply-chains attacks are ranking high because of the significant potential they have in inducing catastrophic cascading effects.

But something is changing. DDoS (Distributed Denial of Service) campaigns are becoming much more targeted, persistent, and increasingly multivector. And not all cyber offenders are primarily driven by money.

In the UK, on December 20th 2021, Gloucester City Council became aware of a cyberattack hitting its systems and resulting in some key services such housing benefits management to be delayed or unavailable. As reported by BBC, it could take months to fix affected servers and systems, while preliminary investigations unveiled there could be links to hackers in the former Soviet Union.

The mounting tension between Russia and Ukraine is seen by cybersecurity experts as a possible trigger of hacking offensives threatening Europe, the US, and beyond. That has already happened in 2017 with NotPetya, a Russian cyberattack that targeted Ukraine but rapidly impacted the entire world at a cost of billions of dollars.

The likelihood of cyberwar scenarios makes ENISA underline there are four categories of cybersecurity threat actors to be monitored: ‘traditional’ cybercriminals, state-sponsored attackers, hacker-for-hire actors, and hacktivists. Understanding how these actors think and act, what their motivations and goals are, is an important step towards a stronger cyber incident response.

Are cities prepared to recognize and face such different threats? Listen to Nicola Crespi, head of R&D at Paradox Engineering, and Dario Campovecchi, our cybersecurity architect, in a conversation that explores some of the most acute dangers Smart Cities are confronted with, and how to manage cybersecurity as a lifelong journey.

The podcast is available on Tomorrow.City


cybersecurity

What about cybersecurity in Smart IoT Cities?

Your city has been hacked” – this is the news everybody fears...

If measuring it as a country, cybercrime would be the world’s third-largest economy after the U.S. and China. According to a report by US-based firm Cybersecurity Ventures, cybercrime is predicted to inflict damages for 6 trillion US dollars globally in 2021. Growing by 15% per year, expected damages will reach 10.5 trillion US dollars by 2025 including stolen money, theft of personal and financial data, theft of intellectual property, lost productivity, forensic investigation, restoration and deletion of compromised data and systems, and reputational harm for the hacked organization.

A cyberattack could potentially disrupt essential public services, expose personal and financial data, and disable the economy of a city. Not a reassuring perspective for cities which are increasingly relying on interconnected networks and sensor-based infrastructures to operate and deliver any application that people and businesses need, from energy distribution to mobility systems, from street lighting to municipal waste collection, and more.

Are cities prepared to face such a threat? An online survey we carried out in October 2021 targeting city officers, utility managers and ICT professionals, found that two-thirds (67 per cent) felt their city was “somewhat vulnerable” to cyberattacks and only four per cent claimed to be “100 per cent cybersecure”. The majority’s (42 per cent) main concern in the case of an attack was around financial data violation, followed by business continuity (40 per cent) and personal data privacy (18 per cent).

How can cities mitigate cybersecurity risks and build a secure foundation for their IoT infrastructure? How can we manage cybersecurity as a lifelong journey? Don't miss our digital event 'What about Cybersecurity in Smart IoT Cities?' on Thursday November 18th, 2021: at Smart City Expo World Congress, our Chief Innovation Officer Nicola Crespi and our Cybersecurity Architect Dario Campovecchi will discuss Paradox Engineering's security by design approach and introduce some innovative services we will launch in 2022.

Free registration is required, contact us to submit questions in advance!


zero trust

Zero trust, the new cybersecurity buzzword

Any device or network architecture can be breached, that’s true. So we shouldn’t trust any user or system. The simple but trenchant assumption is feeding ‘zero trust’, a new hype concept in cybersecurity and a ‘very fashionable term’ in the tech world as the UK's National Cyber Security Centre defined it.

Widespread digitalization, new hybrid workforces and collaboration models, and the growing sophistication of cybercrime created the conditions for a more restrictive vision of data and infrastructure protection. While the EU is shaping its Cybersecurity Strategy, the US is already approaching zero trust after President Biden's "Executive Order on Improving the Nation's Cybersecurity." Released last May, the order basically pushes federal agencies to implement zero trust architectures and prepare for future enhancements. Updated guidance was released last week and agencies are given specific security goals to be achieved by September 2024.

If asked to summarize what zero trust is about, we might say “Never trust, always verify”. The idea is to remove inherent trust from the network, and don’t trust devices by default just because there are inside the perimeter of a firewall or VPN. A zero-trust architecture should verify everyone and everything, using granular techniques to permit only necessary network access and transactions.

The migration to this network design could be expensive and somehow disruptive for most organizations, and it could require years to be completed due to the extent of changes to be implemented.

Zero trust supporters highlight this strict model allows the organization to minimize cyberattack risks, define stronger authentication and authorization policies, reduce the network overhead, and react more quickly in case something gets compromised.

However, we need to remember 100 percent cybersecurity is an impossible goal, unless we fully give up on innovation and digital transformation. So zero trust architectures or solutions can’t be taken as the ‘silver bullet’ answer to solve everything.

Some analysts recommend a pragmatic approach, starting with an accurate assessment of actual vulnerabilities. Which network elements actually require zero trust protection? Which data, transactions, or applications need to be locked down with the utmost level of security? This kind of analysis could lead to the decision to shift to zero trust only for the most critical assets and acting more proactive and systematic cybersecurity measures without adding unnecessary complexity.

 

What’s your approach to cybersecurity? Is zero trust applicable to your network? Contact our cybersecurity experts to share thoughts and insights!


survivorship bias

Cybersecurity in Smart Cities: don’t be trapped in the survivorship bias

During World War II, a team of researchers at the Columbia University was asked to examine the damage done to aircraft that had returned from missions and recommended adding armor to the areas that showed the most damage. This sounded pretty logical, but the statistician Abraham Wald contradicted the US military's conclusions by pointing out that only the aircraft that had survived had been considered. Since the bullet holes in the returning aircraft identify areas where a bomber could take damage and still fly well enough to come back safely to base, Wald proposed to reinforce areas where the returning aircraft were unscathed.

The ‘survivorship bias’ – thus the logical error of concentrating on people or things that passed some selection process and overlooking those that did not – can lead to some false conclusions in several different ways, and it is a pitfall for cybersecurity too.

In 2020 the Center for Long-Term Cybersecurity at UC Berkeley surveyed 76 cybersecurity experts and ranked different technologies according to underlying technical vulnerabilities, their attractiveness to potential attackers, and the potential impact of a successful serious cyberattack. According to this study, not all Smart City technologies pose equal risks: emergency alerts, street video surveillance, and smart traffic signals stand out as the most vulnerable, while smart waste systems and satellite water leak detection are meant among the safest.

City officials should therefore consider whether cyber-risks outweigh the potential gains of technology adoption on a case-by-case basis, and invest more on technologies are both vulnerable in technical terms and constitute attractive targets to capable potential attackers because the impacts of an attack are likely to be great. Again, this sounds like a logical recommendation – but let us beware the survivorship bias.

Achieving 100% cybersecurity is an impossible goal unless we fully give up on innovation and digital transformation. However, Cities should be 100% conscious that any urban network infrastructure and application should be properly designed and implemented with security built in from the outset. Even potentially unattractive systems – such as streetlights – might become interesting for criminals, and the human element is often the weak link to turn a vulnerability into an actual leak.

Many governments around the world are raising cybersecurity consciousness and starting dedicated programs to protect critical systems and resources. Last May, President Joe Biden signed an executive order aimed at strengthening US cybersecurity defenses, a move that follows a series of sweeping cyberattacks on private companies and federal government networks over the past year. The order seeks to move the federal government toward more modern and safer digital infrastructure, and sets stricter rules for IT service providers working with public bodies.

Italy is set to create a national agency responsible for fighting cyberattacks and creating a unified cloud infrastructure to increase security for public administration data storage. Most European countries are boosting their efforts to counter cyber risks, seen as a threat to their security and competitiveness in an increasingly networked world.

While we head for improved systems and data protection, we shouldn’t forget that it is possible to balance the value of innovative technology with the lowest possible risks. At Paradox Engineering, the balance is made thanks to our ‘security by design’ approach: this means injecting cybersecurity into IoT technologies from their very inception, and combine different methods (blockchain, dedicated hardware security modules on devices, ultra-reliable encryption, and other features) to ensure urban infrastructures are intrinsically secure.

Securing cities is an ongoing challenge which requires an overarching approach and strategy (let us avoid the survivorship bias!), together with constant monitoring, learning and collaboration, especially as hackers tap advanced technologies such as AI to become more effective and cybersecurity insurance costs soar.