Domains of Cyber-Physical Systems

The range of cyber-physical devices extends from industrial and robotics domains to medical implants and consumer IoT devices. For concreteness, we will address only the last two here. Cybersecurity in robotics is certainly interesting but is left out of this basic course. You can read more in CyBOK Chapter 21.3, which also briefly covers industrial automation, autonomous vehicles, and smart grids. Research on the security of “smart ships” is also being conducted at TAU; see this introductory article (2018).

Medical Devices

Due to their security and privacy risks, embedded medical devices have been a significant focus of CPS research.

Therac-25 is one of the most famous examples of how software problems can harm or even kill people. Therac-25 was a computer-controlled radiation therapy machine used in the mid-1980s. Due to programming errors (especially a race condition), the device delivered radiation doses more than a hundred times higher than intended for therapy to some patients. This led to deaths and injuries. Part of the harm was also due to Therac-25 using code from Therac-6 and Therac-20 devices, which had hardware-level safety mechanisms compensating for software deficiencies. Commands entered too quickly also caused errors. (See sources: Wikipedia, technical report (1992).)

In Therac’s case, it was an accident—or a cynic might blame laziness, incompetence, and regulatory gaps. Legislation has a strong guiding effect on CPS security (cf. earlier diagram). Typically, regulation only progresses after sufficient harm and publicity.

But what if it’s a hostile attack?

When talking about Implantable Medical Devices (IMDs), one might think of futuristic cyberpunk concepts. However, IMDs already include established devices such as pacemakers, defibrillators, neurostimulators, and drug delivery systems. A book published in 2017 on security for advanced neuroprosthetics considers issues not yet implemented..

IMD devices are often reprogrammable by physicians, which opens them to security and privacy threats, especially when an attacker can impersonate a device used to change IMD settings.

Attacks on medical devices can be divided into eavesdropping attacks (passive) and injection attacks (active), where the attacker can alter data. To reduce attacks on these telemetry interfaces, authentication (e.g., biometric) and external wearable devices have been proposed, which allow or deny access to the medical device depending on whether the wearable is present. For attack detection, behavioral models have been proposed to distinguish safe from dangerous behavior.

A proposal for IMD authentication is the so-called touch-to-access principle. Its basic idea is that an IMD inside a patient can be externally controlled only by a device that is in direct contact with the patient and authenticated by a biometric signal (e.g., heartbeat intervals). The critical challenge is ensuring these biometric signals cannot be read remotely. However, for example, heartbeats can be inferred from side channels such as webcams and infrared lasers.

Security requirements, of course, are not limited to implants or other devices. As more computer- and software-based technology enters healthcare, the industry must increase its security efforts. Medical data is an attractive target for theft, privacy violations, and ransomware-based denial-of-service attacks.

Internet of Things

Consumer IoT devices—the Internet of Things—are now everywhere: in homes as voice-controlled virtual assistants, automation devices, smart devices, and surveillance equipment; in healthcare as wearables, including fitness and health monitoring devices; as internet-connected educational toys for children; and in entertainment as various WiFi-controlled devices.

As everyday life becomes increasingly dependent on these systems, concerns about their security have grown. Device security depends on the integrity of the software and firmware they run and the implemented security mechanisms.

New attack vectors make IoT devices attractive targets for criminals. A simple example is organizing vulnerable IoT devices into massive distributed denial-of-service attacks, as the Mirai botnet did in 2016. Other examples include attackers who breached a casino’s internal network via an aquarium (2017), or attackers who used ransomware to lock hotel rooms and demanded payment so guests could access their rooms (2017).

A large portion of IoT botnets consists of internet-connected cameras. Unauthorized access to internet cameras has been frequently reported. Many video feeds are freely (though illegally) available online and can be found via IoT indexing platforms like Shodan. Consumers who leave factory settings on their devices are easily exposed to privacy risks. However, IoT threats do not end with privacy issues and DDoS attacks. Vulnerabilities in consumer IoT devices such as drones, IoT cameras, smart toys, and intimate devices can also lead to physical harm (e.g., drones used to injure people), exploitation, and harassment. Understanding these new forms of physical and psychological harm requires collaboration between social scientists and legal experts to create new frameworks.

One area that has attracted significant attention from researchers is the security of voice-controlled virtual assistants. For example, they have managed to inject inaudible commands into virtual assistants by exploiting microphone nonlinearities. Other studies have shown attacks such as ”voice squatting” or ”voice masquerading”. For example, a consumer might want to open the app “Capital One,” but an attacker has made available an app called “Capital Won,” which the assistant might open instead. The assistant might also fail to distinguish between “please” and “police.” Due to Finnish phonetics, similar attacks may work less well for Finnish-language apps. Finnish offers semantic opportunities instead, often illustrated by Fingerpori (an example A classic counterpart in English would be ”Time flies like an arrow.”). On the other hand, most apps on Finnish phones are likely English at least by name. In a voice masquerading attack, the attacker’s app may take control of the system and merely pretend to follow the consumer’s commands.

Several consumer IoT security solutions propose some form of centralized and secure IoT hub to mediate communication between devices and the internet. The problem is that traffic between an IoT device and a cloud service may be encrypted, forcing the hub to make security decisions based on encrypted traffic. Furthermore, end-to-end encrypted traffic may prevent consumers from inspecting their devices to ensure they do not violate privacy expectations. To address this, it has been suggested that the consumer could ask the vendor to send a previous encryption key to a trusted third party, which decrypts the data and shows it to the owner.

In short, the proliferation of vulnerable IoT devices raises new security and privacy risks, making IoT devices attractive attack targets. The reasons for insecurity range from insecure-by-design implementations (e.g., devices with backdoors for troubleshooting) to designs where applying security updates is difficult. One of the biggest obstacles to improving IoT security is that markets do not reward or incentivize vendors to compete on better security.

Question 1

The text refers to many new security issues. What is NOT claimed in relation to the medical or IoT devices discussed?

Attacks have been carried out by sending sounds inaudible to humans.

New types of security problems arise that cannot be addressed by technical research alone.

New business models for cybercriminals have also emerged.

Some proposed security mechanisms include a physical component linked to the human.

Posting submission...