The United States Department of Defense (DoD) has identified several Internet of Things (IoT) scenarios that underscore the need for strong cybersecurity measures.
One scenario, highlighted in a July 2017 report issued by the Government Accountability Office (GAO), saw an attack on a smart meter, leading to a shut down of an air conditioning system and crash of DoD servers. Another attack showcased a malicious insider seizing control of water system to flood a ship in a dry dock.
There’s Always a Way In: How IoT Security Affects the Military
The July 2017 GAO report, titled Enhanced Assessment and Guidance are Needed to Address Security Risks in DoD, determined that while the DoD has begun to examine security risks of IoT devices through its infrastructure-related and intelligence assessments, the department has not conducted the required assessments in relation to the security of its operations.
Moreover, while the DoD have prescribed policies related to IoT security, those policies have gaps. According to Joseph Kirschbaum, the director of defense capability and management at GAO and the lead author of Enhanced Assessment and Guidance, “there’s an emerging recognition of the perils, and there’s an emerging response to them. The agencies are not quite there yet, but they want to get there.”
The United States Air Force (USAF) already uses IoT solutions for tasks such as monitoring vehicle engine wear, and is piloting (no pun intended) a number of “smart base” tools. The use of IoT solutions leaves vulnerabilities for hackers to exploit. Frank Konieczny, the CTO of USAF, says that, as an example, an adversary might attack monitoring systems to make it appear as though a fuel tanker’s tires have gone flat, thereby taking the vehicle out of commission.
The use of IoT solutions in the military also leave it vulnerable to having their building systems and physical facilities compromised. For example, an attacker could gain access to the network through a weakly protected IoT device and could even move onto more critically sensitive IT assets if the point of entry is not segmented from the rest of the network.
I’ll Let Myself In, Thanks: Security Flaws in IoT Devices
Enhanced Assessment and Guidance identifies device risks such as supply chain threats (devices made by manufacturers from “adversarial” countries like China and Russia), lack of encryption in devices right out of the box, poor security in device design, and patch or upgrade deficiencies. In the case of supply chain threats, the US government has already acted by dissuading AT&T and Verizon from striking a carrier deal with Huawei, preventing both carriers from selling the latter’s Mate 10 Pro flagship phone. In January, 2018, Congressman Mike Conaway (R-TX) also introduced the Defending US Government Communications Act, which would ban government agents from using Huawei and ZTE phones.
In terms of operational risks, the GAO report identified rogue applications (i.e.: applications that could take pictures or track the user’s location), rogue wireless devices planted by an insider, and expansion of attack surface (the increasing of number of vulnerable points thanks to a growing ubiquity of IoT devices).
The report acknowledged that manufacturers have little incentive “to design security functions into the software or hardware of their products, resulting in little thought or effort given to security.” A separate DoD report in 2016 found that IoT devices are often sold with old and unpatched software that can lead to the device being exploited as soon as it is activated out of the box.
The Department’s current policies are insufficient for certain devices, such as smart televisions in unsecured areas. In that case, manufacturers could access the devices remotely. Using remote access, manufacturers could potentially eavesdrop on conversations and even send recordings of said conversations to third parties.
At current, the Navy and the Marine Corps, who have acknowledged the need for smart televisions, do not have service-wide policies addressing cybersecurity controls for them. Moreover, officials from Joint Force Headquarters-DoD Information Networks highlighted the potential of attacks to hop from smart televisions to personal devices, which could then allow the attacker to gain data on DoD personnel.
The download of unauthorized applications on devices also poses a threat. DoD officials have highlighted the need for policies that could lead to the automatic removal of unauthorized applications from DoD mobile devices, or restriction on the number of parties to whom data is transmitted from an application. A DoD report pointed out that downloading certain applications on one’s phone might let the user unwittingly grant third parties access to their personal information.
While the DoD’s policies have significant gaps in relation to potential threats, the Department is nevertheless acting to protect against potential attacks. In March 2016, the Office of the Assistant Secretary of Defense directed military departments and other DoD components to implement cyber security controls on their facility industrial controls systems, including devices and sensors. All the involved departments drafted and submitted implementation plans or a strategy to the Office by February 2017. The Department’s goal is to implement cybersecurity controls on most critical control systems by the end of fiscal year 2019.
The Office of the DoD Chief Information Officer has established an information working group for DoD officials working on IoT issues. The group has attended IoT workshops and authored a policy paper titled DoD Policy Recommendations for the Internet of Things in December 2016 to raise awareness of IoT issues. Their next steps are to establish an IoT community of interest and to produce another IoT report that focuses on DoD responsibilities, as well as a more detailed policy analysis.
Finally, the Defense Advanced Research Projects Agency (DARPA) has a few ongoing research programs that hope to address IoT issues. One program, the Leveraging the Analog Domain for Security program seeks to develop new cyber techniques in digital devices by monitoring their analog emissions, and is projected to continue through December 2019. The program hopes that studying analog signals will help the Department better monitor IoT devices and detect deviations from normal behavior to better provide protection.
Other programs include the Vetting Commodity Information Technology Software and Firmware program, which aims to develop checks for broad classes of malicious features and dangerous flaws in software and firmware. The program aims to ensure that devices used by the Department do not contain malicious code or malware.
Conclusion
The lack of security measures in IoT devices not only affect civilians, but also the government and the military as well. GAO’s report reveals that even the DoD has challenges to overcome with regards to safeguarding sensitive information.
Whether it is devices with outdated firmware installed, or an easily exploitable smart device that can be attacked and used as a springboard to hop to personal devices, the DoD has its work cut out. Nevertheless, they have taken measures to address their lack of security measures, such as establishing research programs and raising awareness.