For anyone who has spent the past 10 years thinking IT security is all about operating systems, software, and the Internet, it’s a little shocking to read McAfee’s IT Security predictions for 2012. McAfee doesn’t spend a lot of text discussing new threats to the usual suspects. Instead, it zooms into the next frontier, where hackers target component firmware, networked embedded systems, and industrial infrastructure. Admittedly, the path to the latter is often through the Internet and Windows, but the target is often from another era.
If you wonder what the fuss is about, take a minute to think about how many printers from a certain market-leading vendor are attached to your network. These printers have a lot of valuable data stored on their hard disks, at least temporarily.
I suspect most organizations are still too anxious addressing the consumerization of IT and mobile devices to focus on hardware and embedded systems, but if McAfee is right, a wakeup call is coming soon – and possibly as soon as 2012.
Critical and Industrial Infrastructure
It may surprise you to find out that the systems controlling and managing many functions at power plants, refineries, as well as water and industrial systems run on Windows. Yes, Windows. In many cases anyone can download free trials of these packages and explore them all they want for a month. If that isn’t scary enough, many of these software packages, called Supervisory, Control, and Data Acquisition (SCADA) systems are connected to the same networks that connect to the Internet, but in most cases haven’t been designed with the Internet in mind. And they’re often in environments where people are not used to thinking very much about Internet hazards.
The vulnerabilities of SCADA systems have become a somewhat hot topic lately, with scores of vulnerabilities found in just a few weeks. The infamous Stuxnet worm that caused havoc to Iran’s nuclear program by changing the spin rate of its centrifuges targeted SCADA systems and was introduced through USB flash drives. Recently, hackers posted a link to logins for Israeli government SCADA systems on Twitter.
These are proprietary systems that control functions in many consumer devices such as GPS’s and cameras but are also found in corporate printers, network infrastructure hardware, and medical devices. Earlier this year, researchers at Columbia University demonstrated vulnerabilities in HP printers that could be harnessed to forward documents to a remote computer or even damage the printers physically. While the researchers targeted HP, these types of vulnerabilities are most likely present on most other printers as well, and many others can likely be found on routers and other network devices. HP issued firmware updates to address specific vulnerabilities cited by the researchers.
Another threat on embedded systems that has gained media attention as of late is attacks on automobiles. The trend of building new technology into cars also poses a risk, opening the door for vehicles to be hacked. Criminals can potentially remotely unlock your car, start up the engine, or activate a computerized braking system with a cell phone. Testing of Toyota’s braking problems showed that researchers could control the cars by using Bluetooth connections, as well as OnStar and SYNC systems.
Other Hardware Attacks
According to McAfee, as traditional operating systems such as Windows 8 get better at addressing core OS vulnerabilities, hackers are likely to try to get underneath the operating system to target network cards, graphics processors, hard drives, and system BIOS. A Trojan called Mebroni was one of the first discovered that was capable of attacking a system BIOS. More are sure to come.
It’s not time to panic yet, but be aware that the sophistication of hackers is growing as traditional operating system vulnerabilities are addressed, and the money and expertise behind cyberwars and hacktivism, which McAfee also highlights in its report, is considerable and growing. It’s time to start thinking about these threats and how to begin to address them.
For more information on McAfee’s threat predictions, read the full report here. You can also take a look at our January #SecChat recap, focused on 2012 threat predictions and security recommendations for businesses moving forward into the new year. As always, you can also follow us on Twitter at @IntelSec_Biz, where we post regular updates on McAfee news and events.