Malware for IoT: When Bad Code Gets Even Worse
Triton is the first piece of (known) malware specifically designed to harm human life.
Join the DZone community and get the full member experience.Join For Free
Photo credit by Unsplash/Robin Sommer
There is no denying that with the rise of smart factories, we’re entering a new era of manufacturing.
According to a recent piece in MIT Technology Review, IoT connectivity “can make businesses much more efficient and productive, which explains why [manufacturers] are expected to spend around $42 billion this year on industrial internet gear such as smart sensors and automated control systems.”
Indeed, as Chalmers University of Technology’s Johan Stahre explains in the above video, “by connecting all the tools, and all the machines, and all the robots, and all the people, I think we have the right components to make something happen.”
But this interconnectivity also makes it easier for something else decidedly less beneficial to happen: cyber warfare.
Security consultant Julian Gutmanis had this sobering realization just a few years ago, when he found himself on the team that uncovered the first ever malware code intentionally designed to harm human life.
Now known as Triton – after the Triconex safety controller model it first targeted at a petrochemical plant in Saudia Arabia – this malware made it possible for hackers to take over the plant’s safety systems remotely.
“We knew that we couldn’t rely on the integrity of the safety systems,” Gutmanis told MIT Technology Review. “It was about as bad as it could get.”
“In a worst-case scenario,” the MIT article points out, “the rogue code could have led to the release of toxic hydrogen sulfide gas or caused explosions, putting lives at risk both at the facility and in the surrounding area.”
This ticking time bomb was averted, however, after a flaw in the hackers’ code fortunately triggered alarms in the system, which brought all factory operations to a standstill. It was after the second shut down that Gutmanis was called in.
Investigators now believe that the hackers had been inside the petrochemical company’s corporate network since 2014.
“From there, they eventually found a way into the plant’s own network, most likely through a hole in a poorly configured digital firewall that was supposed to stop unauthorized access. They then got into an engineering workstation, either by exploiting an unpatched flaw in its Windows code or by intercepting an employee’s login credentials,” the MIT piece explains.
The hackers also managed to exploit a zero-day vulnerability in the Triconex controller’s firmware, which allowed them to “inject code into the safety systems’ memories,” essentially giving them unlimited access.
“Targeting safety systems just seemed to be off limits morally and really hard to do technically,” said Joe Slowik, a former information warfare officer in the US Navy.
Not only are such tactics no longer off limits, they’re also becoming more widespread. Dragos, an industrial cybersecurity firm, believes it has found evidence that this same hacking group is now “using some of the same digital tradecraft to research targets in places outside the Middle East, including North America.”
And it isn’t just the Triconex controller this new code is targeting.
While this news is certainly worrisome, Gutmanis believes that companies can learn potentially life-saving lessons from his work at the petrochemical plant.
For instance, the Saudi factory had failed to follow up on several antivirus alarms triggered by Triton. It also failed to notice unusual traffic across its networks. Workers were furthermore leaving keys that control the Triconex system in a position that made remote access possible.
Other experts, though, are encouraging a more heavy-handed defense strategy – to eliminate as many digital access points as possible.
This seems an unlikely solution given the level of corporate investment worldwide, but at the end of the day, lawsuits stemming from sabotaged equipment malfunction are certainly not ideal for the bottom line.
Opinions expressed by DZone contributors are their own.