Embedded systems in electronics are susceptible to cyber criminals and hackers

It sounds like a James Bond movie: criminals who follow a meeting of government leaders on their smartphone via the hacked security camera. Or vacuum cleaner robots that spy on the room via webcam and audio, controlled by a state hacker. This is not a science fiction but the daily reality of Ronald Heil, plenary speaker during the D&E event on May 17 in the Evoluon Eindhoven. Ronald is Partner Cyber Security at KPMG and during the event he will introduce you to the mindset of cyber criminals who target your company and products.

“Many companies think that their electronics are safe, but nothing could be further from the truth,” says Ronald. “They focus on a small part of their product, for example the chip, but forget that that chip is part of a embedded system which is part of a larger system or device. The chip may be well secured, but if the environment is not, a hacker can still get in. Chips make contact with a communication network via components and that is where things sometimes go wrong in practice. If the channel used to communicate is not adequately secured, a cybercriminal can take over the product. The security of the chip itself often does not prevent this.”

Digital door open
“Many products contain software, but companies do not sufficiently realize that that software also needs to be maintained. They think: I have sold the product and that ends my responsibility. This is a wrong way of thinking. It is important to maintain the product and implement new updates immediately. Security updates contain important ones patches for vulnerabilities in the software. If you have that one patches If you don't install it, you open the digital door to unwanted visitors. Embedded systems Nowadays we are often in contact with a network via multiple points and all those points are potentially hackable. For example, we recently examined a digital cabinet with smart locks to pick up packages. That cupboard turned out to be unsafe in more than twenty places. You could open the locks digitally in various ways, but also with a key for the bypass locks. We discovered that you could order this key, which an employee uses to open a locker if the customer has forgotten his PIN code, online for just one euro. That was a bit of a shock for the manufacturer who thought that his security was in perfect order.”

Most devices are hackable
 “It is often a difficult decision for manufacturers. They want to put a safe product on the market, but the consumer is not always willing to pay for that safety. The customer still chooses the cheaper kettle, even though he knows that it increases the risk of fire. As a consumer you also have to wonder how the security of that dirt-cheap electronics product from China is arranged. How is the product protected against cyber attacks and who takes care of the updates?”

“In principle, anything you can open is hackable. I dare say that 80% of the firmware is easy to investigate. This partly has to do with consumer law. Manufacturers work with standard development kits. It must be legally possible to repair and maintain a broken product and for this you must be able to open it. This is understandable, but it does entail security risks. It is a cat-mouse game between the hacker and the manufacturer.”

Black and white hat hackers
“I started at KPMG 21 years ago as an ethical hacker (a hacker who detects security flaws in a product without criminal intent, ed.). From that technical background, I understand how a hacker thinks. Hackers always try to enter through the 'back door', while manufacturers think that consumers only use the front door. In other words: they think that consumers always use a product exactly as they intended. But nothing could be further from the truth.”

 “They are also called ethical hackers white hat hackers named. They are creative people who are of great value to a company. They try an electronics product with embedded hardware before production to detect vulnerabilities. This is how you, as a manufacturer, prevent that black hat hackers (cyber criminals) take over your product if it is already on the market.”

Any entrance is fine
 “Any entry is fine for hackers. Take for example the badges with which employees open the gates of their company. These gates are often very easy to hack. You open the device, attach a cable, inject a code and you're in. The whole securitysystem behind it makes little difference to the hacker. That can cost millions of euros and be properly certified, but the hacker can easily circumvent this via the exposed connections. That's the joke: the vulnerability is not in the expensive software, but in the plastic casing. Insufficient attention is often paid to this. If you ensure that the hardware is difficult to open by, for example, installing a good lock or alarm, it becomes a lot more difficult for a cybercriminal to gain entry. Opportunistic black hat hackers In that respect they are just like 'normal' burglars: if they have to make too much effort, they would rather go to the neighbor.”

To wake
“What I hope to achieve with my presentation during D&E is that companies and organizations look more at their environment and not just at their product or one small part of it. I hope I can wake up my audience. Unsafe equipment can ultimately be used against you.”

“Updating the software in electronics is a challenge. The software must updatable so that you can mitigate future vulnerabilities, but at the same time you want to prevent malicious parties from abusing this functionality. That is a dilemma for the manufacturer. If you don't take measures as a company, this is possible IoT malware spread quickly from device to device. A recent example is Apache Log4j, a piece of software that is available in millions if not billions embedded devices has been installed. Last year we suddenly discovered that this software may contain a vulnerable version. Practice has yet to show what the consequences of this vulnerability are, but it seems very difficult to use devices with Apache Log4j patching. This may make many IoT devices hackable.”

Fun hackers, cybercriminals and hacktivists
“Not all hackers have criminal motives. You have people who are for the fun digital burglary and so-called hacktivists. These are digital activists who hack as an act of protest. Anonymous is an example of that. And then you have state hackers who carry out cyber attacks on a country. For example, during the invasion of Ukraine, state hackers disabled Ukrainian satellite receivers. They did this through commercial pieces embedded software that are built into military devices. Here too, the collective had not been sufficiently checked, which allowed hackers to take their action, with major consequences for the Ukrainian army.”

Cyberwar
 “Another example is a navy ship that accidentally sailed into Iranian waters. Not with malicious intentions, but because the sensor systems of three satellite receivers had been hacked and injected with a code that caused them to provide false coordinates. A warship simply entering the waters of another country essentially means a declaration of war. Iran immediately started shooting. These are very dangerous situations where the social consequences of hacking are incalculable.”

Failure of critical infrastructure
“An example from everyday life is charging stations. They are connected to a network. If charging stations contain vulnerabilities and are collectively taken over by hackers, it is possible to charge a large number of electric vehicles in the Netherlands at exactly the same time, with the push of a button. And stop again and start again. This could cause part of the electricity grid to fail. With all its consequences. Cybercriminals are also targeting vital infrastructures en masse, but they have different intentions. They have no political motives, but are looking for financial gain.”

“Cybercriminals are becoming increasingly organized and professional. A few years ago, a well-known Danish international company suffered hundreds of millions of euros in damage due to aggressive ransomware which in retrospect wasn't even meant for them. It was an attack of nation-state. This is a group of hackers that is often sponsored by an enemy country. They don't care if there are other victims and companies get into trouble. ”

Think like a hacker
“As a company you have to think differently; rethink. Try to think like a hacker: how else could I get in? How can my product also be used? With so many devices connected to a network today, organizations are increasingly at risk from cyber attacks. The more you as a company use IoT devices connect and makes use of embedded systems, the more hackable you can become. The threat often comes from an unexpected source and is often the result of a human error: an employee who accidentally clicks on a phishinglink clicks; a USB stick that is used in multiple environments but also to update the software of the 'system'. That is why as a company you have to take everything into account and tackle the entire environment. Know yourself and know your enemy.”

Would you like to hear Ronald Heil speak live? Then register now for the D&E event on May 17 in Evoluon Eindhoven.