Posted on by Autonomyin
As the world becomes increasingly interconnected through technology, information security vulnerabilities emerge from the deepening complexity. Unexpected interactions between hardware and software components can magnify the impact of a vulnerability. As technology continues its shift away from the PC-centric environment of the past to a cloud-based, perpetually connected world, it exposes sensitive systems and networks in ways that were never before imagined.
The information security community must be prepared to address emerging systemic vulnerabilities. To help identify these vulnerabilities, a team of researchers--in addition to myself, the team included Joel Land and Kyle O'Meara--identified at-risk, emerging technologies by breaking down major technology trends over the next 10 years. This blog post, which is abstracted from our technical report on this work, highlights the findings of our research, which helps the Department of Homeland Security United States Computer Emergency Readiness Team (US-CERT) in their work towards vulnerability triage, outreach, and analysis.
A measured approach to analysis is required when undertaking the hard task of reviewing all new and emerging technology domains, their likelihood of success, and any potential vulnerabilities. CERT researchers used Gartner's long-term assessment of emerging technologies as a filter to form the initial list of domains. Our team of researchers then triaged each identified domain according to safety, privacy, financial, and operational impact that a cybersecurity incident could cause.
In addition to identifying risks, we included a specific approach recommended by CERT for improving security in each domain.
As outlined in our technical report, 2017 Emerging Technology Domains Risk Survey, we identified the following eight emerging domains, expected timelines for major worldwide adoption, the impact on cybersecurity, supporting standards, and underlying technologies of these domains:
This report covers new or changed domains compared to the CERT/CC 2016 Emerging Technology Domains Risk Survey. This list does not supersede previous reports. Many of the previously reviewed domains remain important. Instead, this report can be considered an addendum to that report.
The remainder of this blog posting examines each of these at-risk emerging technology domains.
Blockchain. A blockchain is a highly distributed data structure that underlies such technologies as the Bitcoin digital currency. Blockchain can provide a high level of data integrity without the need for centralized management. This approach allows participants to securely perform transactions without an existing trust relationships. Blockchain technology is being investigated for its potential to decrease overhead costs in finance, real estate, insurance, contracts, intellectual property, and other transaction-based industries.
The potential impact for security vulnerabilities in the blockchain ecosystem depends on the value of the information it is protecting. Since the primary use to date is for financial or finance-related transactions, the impact can be severe for companies whose business is based on the technology. There have been several significant thefts of Bitcoins already. The largest of these was the collapse of the Mt. Gox Bitcoin exchange, in which 850,000 Bitcoins (with a value of approximately $4.8 billion U.S. dollars as of Oct. 2017) were lost and presumed stolen.
This technology is still developing and has only one proven business model to date, which is Bitcoin itself. Given the amount of research being done in this domain in multiple industries, it is likely that blockchain-related technologies will become more widespread in the near future.
Intelligent transportation systems. The CERT 2016 Emerging Technology Domains Risk Survey identified several emerging domains related to connected and autonomous vehicles. While those domains are still highly relevant, they are increasingly co-mingling in what are called intelligent transportation systems (ITS). Future ITSs will provide communications and data between connected and autonomous cars and trucks, road infrastructure, other types of vehicles, and even pedestrians and bicyclists. The goal of these systems is not only to provide individual vehicles and users with information they need, but also to provide central authorities with the ability to better manage traffic at the macro level.
Pilot ITS programs are already running in multiple U.S. cities, but they will not be widely deployed for 5-10 years. CERT researchers believe that there will be a gradual adoption of ITS components. GPS and traffic apps already have a degree of intelligence, but substantial policy, economic, and safety concerns will likely delay implementation of fully integrated systems for at least 10 years. Although there have been vulnerabilities in individual components from self-driving cars to traffic lights, CERT is not aware of any exploitations currently being tested or deployed in public. The impact of security compromises is similar to the impact for individual autonomous or connected vehicles, but on a larger scale. A miscommunication in the system, whether accidental or intentional, could lead to numerous traffic accidents, cause property damage, injury, and possibly death. CERT recommends continued outreach and technical research in all areas of transportation security.
Internet of Things (IoT) Mesh Networks. A mesh network is a decentralized network topology where many or all of the networked devices double as nodes through which data may propagate. Mesh networks are not uniquely the province of the IoT, but IoT stands to become a significant driver of their use as it continues to be commercially successful. There are a few characteristics of IoT mesh networks that set them apart from general mesh networks: the devices or nodes typically have low power and bandwidth requirements, communicate wirelessly, and do not remain in fixed locations. A number of competing low power communications protocols that support wireless mesh networking have emerged to support these IoT characteristics, including ZigBee, Z-Wave, 6LowPAN, and Thread.
By interfacing with traditional network technologies to obtain Internet connectivity, IoT mesh networks will extend the perimeter both as access points and as additional targets for exploitation. CERT researchers recommend engagement with the standards bodies and device vendors towards establishing and reinforcing good security practices and awareness. ZigBee implementation flaws were abused to take control of smart light bulbs and unlock smart locks as discussed at Black Hat 2015. In an IoT hacking contest at DEF CON in 2016, 47 new vulnerabilities were identified across devices from 21 product vendors. IoT devices have also been implicated in a number of distributed denial of service (DDoS) attacks.
IoT mesh networks generally carry similar risks as traditional wireless networking devices or access points (e.g., spoofing, man-in-the-middle attacks, and reconnaissance). Moreover, they also carry risks based on device designs and their implementations of protocol-specific security features. A single compromised device may become a staging point for attacks on every other node in the mesh, as well as on home or business networks that act as Internet gateways.
Machine Learning. Machine learning broadly refers to the processes by which a program can be trained on a body of data to make inferences about new or related information. Real-world applications of machine learning range from big data analytics and data mining to image processing, spam filtering, intrusion detection systems, and self-driving cars. Generally, machine learning enables the automation of inductive reasoning about data, including pattern recognition and anomaly detection tasks.
Machine learning is a fundamental component of other emerging domains, and particularly of artificial intelligence.CERT researchers expect machine learning to be one of the most aggressive and quickly adopted technology trends over the next several years.
The actual security impact of vulnerabilities in machine learning technologies will largely depend on specific implementations. Where sensitive information is aggregated, for example, there is the potential for theft or leakage. The ability of an adversary to introduce malicious or specially crafted data for use by a machine learning algorithm may lead to inaccurate conclusions or incorrect behavior. Fooling the sensors of a self-driving car may lead to accident, injury, or death. Another threat is that attackers may be able to create a maliciously trained neural network or other ML system.As a component technology, machine learning does not easily fit into a general strategy of observation. CERT researchers suggest monitoring individual emerging technologies on a case-by-case basis for characteristic uses of machine learning to identify the gravity of potential abuses. Characteristics of interest likely include big data applications dealing with sensitive information, security products whose efficacy depends on effective anomaly detection, and learning sensors that inform actions in physical reality (such as in self-driving vehicles).
Robotic Surgery. Robotic surgery in current practice typically refers either to
Robotic surgery has the demonstrated potential to facilitate the performance of complex procedures with greater precision and fewer complications than conventional techniques. According to numbers from Intuitive Surgical, more than 3 million patients have been operated on using their da Vinci Surgery devices.
University research in 2015 uncovered numerous vulnerabilities in surgical robots that could be exploited to create denial of service conditions or manipulate controls. The high occurrence of hospital network compromise--90 percent of healthcare organizations suffered a breach between 2014 and 2016--combined with the increasing connectivity of medical devices has set the stage for the recent global WannaCry ransomware attack that broadly affected British National Health Service organizations.
Due to cost, individual product testing may be prohibitive; however, reviewing independent studies and component datasheets may help to isolate areas to focus interest. According to CERT researchers, the biggest area of concentration should be devices with networked communications, as these may be at risk for remote attacks.
Smart Buildings. The concept of smart buildings currently refers to using IoT sensors and data analytics to make commercial buildings more efficient, comfortable, and safe. Typically this approach involves monitoring sensors to make real-time adjustments to lighting, HVAC, security, and maintenance parameters.
More smart building technologies might be introduced in the future. One such technology is reconfigurable interiors. The mixture of office space vs. meeting space could ebb and flow based on occupancy, or an event planner could specify the square footage desired for an event, and the building would rearrange interior walls to accommodate it. Another technology being touted is "self-awareness," that is, the ability of a building to detect potential maintenance issues and take some sort of action to fix the issue without the need for human analysis.
The highest security risks in this field will involve safety- and security- related technologies, such as fire suppression, alarms, cameras, and access control. There have been published vulnerabilities in specific systems, such as cameras. The Mirai botnet used a large number of surveillance cameras and DVRs to attack other systems. As these system become more interconnected and ubiquitous, we expect to see more compromises.
CERT researchers recommend outreach as well as technical research in smart building technologies, particularly safety- and security- related technologies.
Smart Robots. Smart robots are autonomous machines that work alongside or in the place of human workers. As the machine learning and artificial intelligence domains come into prominence, smart robots will emerge that can learn from their environments, adapt, and make informed decisions, or "behave like MacGyver". As capabilities continue to advance, it is reasonable to expect that we will find smart robots, humanoid or otherwise, affecting all facets of our lives.
There are many components in the smart robot ecosystem, not limited to hardware, operating system, and interconnectivity with other networked devices. Well-known classes of software and network vulnerabilities will likely be discovered. It is not hard to imagine the financial, operational, and safety impact of shutting down or modifying the behavior of manufacturing robots; delivery drones; service-oriented or military humanoid robots; industrial controllers; or, as previously discussed, robotic surgeons. There is active research on the security of existing robot products that has resulted in the discovery of numerous specific vulnerabilities. Examples of the potential impact of exploitation can be seen in tangential or overlapping domains, including robotic surgery, IoT, autonomous vehicles, and others.
As another broad domain of interest that includes everything from drones to industrial controls to robotic surgery, it is hard to make general recommendations about smart robots as an emerging domain. CERT researchers encourage vigilance and proactive engagement with industry, academia, and standards bodies.
Virtual Personal Assistants. A virtual personal assistant (VPA) is a data-crunching application that mimics the skills and functions of a human assistant. Popular examples include Apple's Siri, Google Now, Amazon's Alexa, and Microsoft's Cortana. By seamlessly applying machine learning analytics to constantly evolving user data, VPAs are uniquely positioned to streamline and improve task management and performance. As VPA technology and the intrinsically related domains of machine learning and artificial intelligence continue to mature, its functionality will continue to expand, shaping how users interact with their Internet-connected ecosystems.
The efficacy of VPAs is almost wholly dependent on access to data, making privacy the chief concern from a security perspective. VPAs will potentially access users' social network accounts, messaging and phone apps, bank accounts, and even homes. In business settings, they may have access to knowledge bases and a great deal of corporate data. There are many articles addressing privacy concerns since VPAs will have access to large amounts of data, but how consumers' information will be shared with outside firms has yet to be fully defined. The other privacy concern is the trail of information a user could leave with having everything accessed and shared by a VPA.
CERT researchers recommend obtaining and maintaining awareness of the presence and data curation practices of emerging and established VPAs.
Wrapping Up and Looking Ahead
This report also identifies the domains that should be prioritized for further study based on a number of factors. Three domains must be considered high priority for outreach and analysis in 2017:
Approaches to improving security should be adjusted depending on the specific nature of each domain. In some cases, outreach is the best approach for improving the security of a technology; in other cases, technical vulnerability discovery may be the best way to provide better information to the government and public.