Cyber Killers: Spectre, Meltdown, Chimera and other Security Horrors
A computer security company has just described some very serious security weaknesses in AMD microprocessor devices. This follows similar problems discovered with Intel and ARM-based chips last year. In this age of automation, just how dangerous are the threats? Cyber security may well be the key to success or failure for the Internet of Things and automation in general.
Some time ago thieves got their hands on hacking tools stolen from a US government agency and demanded millions of dollars. When nobody seemed interested, they dumped all the code onto the Internet for anyone to use. Months later, the WannaCry worm was identified, built around the stolen code. Computer software viruses have been around since the first networked PC and many users, if not company network administrators, have got somewhat complacent about the effects of a virus attack. Until last year (2017) when the WannaCry ransomware almost crippled the UK National Health Service, I suspect most members of the public thought computer security breakdowns would not affect them personally. Cyber-attacks involving blackmail or fraud are not new and their ill-effects are usually limited to financial loss or publication of embarrassing/incriminating information. The WannaCry outbreak had potentially life-threatening consequences for NHS patients. As we rush to embrace home automation, Industry 4.0 and driverless cars, the realisation is dawning that cyber-crime can be fatal.
The revelations of weaknesses in the hardware design of some AMD microprocessors were published giving the chip company only 24 hours notice instead of the usual 90 days. The weaknesses have been given the names: Ryzenfall, Fallout, Chimera and Masterkey. Awkwardly for AMD, the part of the chip which could be targeted by malicious hackers is the built-in Security Processor itself. Some of the identified vulnerabilities may be fixed by firmware changes, others cannot be removed without hardware design modifications. It’s only a few months ago that we heard about hardware vulnerabilities called Spectre and Meltdown on Intel, ARM and AMD chips. On that occasion, the companies were given 90 days before they were made public, so some sort of fixes or workarounds were ready. Spectre so far only has a firmware workaround which essentially means disabling a ‘clever’ piece of hardware performing ‘speculative execution’. Unfortunately, this hardware helps speed up certain types of operations and switching it off can have a very noticeable effect on execution speed. A full fix will probably have to wait for new versions of the chips to be issued. As if the poor user wasn’t confused enough with all this firmware ‘patching’, unscrupulous hackers were issuing fake patches causing even more mayhem. The cyber-war around the humble PC continues.
Home Automation and the IoT
Security on all those Wi-Fi coffee machines, kettles and kids’ toys is often non-existent. In many cases, these products provide an open doorway to your home network and all data moving on it. As for the devices controlling your central heating or lighting, they may have better security but they’re not beyond hacking with all the discomfort and cost that may ensue. A mass attack on homes could even have implications for the power utilities. Intelligent Home Assistants and Fitness bands offer an interesting insight into public attitudes towards data privacy. In all cases, these devices are pouring vast amounts of data on the owner’s daily life and health into the Cloud to be examined by…who? These same people are probably outraged at suggestions that MI5 may be reading their emails. It takes all sorts.
In 2010 the Stuxnet worm was detected, believed to be the first worm to attack Supervisory Control and Data Acquisition (SCADA) systems. This was an ultra-sophisticated piece of malware believed to have been created by a US government agency for the purpose of bringing Iran’s nuclear centrifuges to a standstill. It must have cost millions and was only partially successful. Once in the public domain however, it provided a useful library of malware routines for less talented miscreants. Industry 4.0 offers many more opportunities for unauthorised access to factory control systems. The push of economics inevitably leads to production facilities run by networked intelligent machines where a machine can be just a single electric motor with a microcontroller. This is the vision of Industry 4.0: vast factories with no human workers, remotely managed from ‘the Cloud’ and taking orders directly from customers. This level of connectivity with the outside world increases vulnerability to hacking at several levels:
- Management in the Cloud.
A hacker could get high-level control of production by infiltrating a worm into computers at the company’s remote headquarters. With fully automated production they could quietly order products to be made to their specification and delivered by the automated trucks. Or they could just disrupt or shutdown production. A more subtle attack by a competitor could involve making small changes to the quality control system increasing the number of defective products thus sabotaging the company’s reputation.
- Factory level.
Attacks at this level are likely to be just aimed at disruption. A process controller in a chemical plant could be instructed by a virus to open or close valves at the wrong time perhaps triggering an explosion.
- Machine level.
Even more subtle changes can be made in the control programs for individual motors for example. Small adjustments to the PID control loop constants could bring about an increase in vibration, perhaps overheating, leading to premature mechanical failure.
Personally, I believe it’s the low-level attacks at factory and machine level that could be the most disruptive in the long term and the hardest to detect until significant damage is done. If all this seems far-fetched, so did Stuxnet at the time. What it showed was that with enough resources (money and talent), practically all security can be broken. I just hope that Industry 4.0 ideas are not applied to nuclear power station design in the UK. Reactor control rod motors connected to the Internet – what could possibly go wrong?
Not long ago the only electronic security on the average car was the use of a PIN code to activate the radio. Now, most cars have electronic driver assistance features (ADAS) most of which are programmable with the right plug-in tools or worse, remotely via a wireless Internet connection. As usual, people found ways to hack into and corrupt this technology. Many of these hacks allow remote operation of engine controls and braking systems while the car is on the road. They’re possible because of the ‘Law of Unintended Consequences’ whereby designers build-in security weaknesses as a result of interconnecting say, infotainment with engine management. Having all the vehicle’s systems linked by a shared bus, usually CAN, is great for efficiency, not so good for safety. There is a definite need for legitimate remote access to autonomous vehicle electronic systems. Vehicles must be able to communicate with each other (V2V) and roadside nodes (V2I) in order to supplement data gleaned from on-board sensors. Naturally, these wireless links represent a massive security risk with the possibility of remote hijacking. On the other hand, remote control does offer a way around the problem of what happens when the auto-driver cannot cope and human intervention is required. Does the concept of your car being equipped to allow a remote driver take over make you feel more or less secure?
For the average PC user on the Internet, the best advice as always, is to create non-guessable, non-obvious passwords whenever you are asked to do so. Installing all operating system updates as soon as they arrive is essential. Make sure the encryption key on your router is also strong, although many nowadays come with the key already set. Access to keys and other router functions is usually through a Browser and a local IP address. Here is some password protection that is often missed: the password for router administration is usually a default ‘admin’. Get it changed. One reason why Wi-Fi enabled domestic appliances are so vulnerable is that the password or PIN number protection available on their wireless modules is rarely enabled by the appliance manufacturer. And the owner probably has no way of setting it. As an aside, do you know your telephone answering machine (OK, OK, dinosaur technology) has a PIN number to secure remote playback? This is accessible, and if more celebrities had set it, there wouldn’t have been a newspaper hacking scandal.
Most data encryption today relies on the vast number of operations required to find the key by using ‘brute force’ techniques (trying all permutations). Even modern supercomputers could take weeks, even months or years to crack the code. Quantum computer technology could change all that. The threat is that a quantum computer could reduce code-breaking from months to minutes. Interestingly, quantum cryptography may eventually provide impenetrable security!
Building-In IoT Security
Anyone designing an IoT node with an embedded microcontroller should include a cryptoprocessor chip alongside it. Examples include the Microchip ATECC608A (165-4497) and the Infineon SLB9645VQ1.2. The latter features on an IoT node development board from Imagination Technologies (125-3306).
It’s not just a question of encrypting the data on the communications channel; these chips help to prevent an attacker uploading dodgy program code to the embedded processor in the guise of a legitimate ‘update’.
Finally, here’s an amusingly different angle to the computer security problem. Artificial Neural Networks (ANN) are routinely used by law-enforcement officers to perform rapid image processing. A network can be trained to recognise a particular human face and look for it in a database of images or security camera feeds. Well, it’s certainly routine in most US TV police departments. However, researchers have demonstrated simple ‘disguises’ a subject can wear to beat the system. Would you believe wacky sunglasses will fool the AI? In fact, spoofing can make an AI-based speech-to-text converter interpret a spoken input as something completely different. It has been shown that neural networks are generally vulnerable to what are called ‘adversarial examples’ in both audio and video form. Heh, Alexa, I didn’t order that!
If you're stuck for something to do, follow my posts on Twitter. I link to interesting articles on new electronics and related technologies, retweeting posts I spot about robots, space exploration and other issues.
CommentsAdd a comment
Hi Bill, long time no speak!
This is a great article. IoT security is a huge topic right now and obviously one that is of great interest to my company (we're an IoT connectivity platform) too... Not that all this IP-based hackery is a problem for us. We prefer to do IoT without the internet! ;)
@LStacey Thanks! I guess your company believes in the principle of the air firewall. Even 20 years ago I remember this was the system adopted by military establishments. Nowadays when I hear someone has hacked into the US CIA or NSA I don't believe a word of it. All the really sensitive stuff will definitely be 'off-line'. Whoops, there I go getting all X-Files again. :-)