Open systems, open data, and open-source software provide a means to promote greater transparency, public trust, and user participation. But what happens when adversaries can abuse the same systems?
After all, any system that’s open to everyone is also open to those who wish to use it for malicious intent.
Time and time again, we have seen how the open-source ecosystems like npm or GitHub have been abused to spread malware. We have also seen how public WiFi hotspots can be tempting sites for attackers and reports of Russian actors live streaming webcams that should remain hidden.
Similarly, public safety systems that are designed to protect and safeguard citizens from adversaries have been misused by the very adversaries to do the opposite.
These are common ‘vulnerabilities’ in our societal systems exploited on a smaller scale.
But what about the cases of nation-state actors targeting national security systems, especially if they are open-source, for malicious purposes?
“Open data” and surveillance cameras
In a recent report, I analyzed an Automatic Number-Plate Recognition (ANPR) data leak from an online dashboard that powers IoT surveillance cameras. A publicly exposed database without a password caused this breach.
On further investigation, I learned that UK’s traffic cameras and some select public safety cameras are openly visible to any civilian. This open availability is primarily due to the open data initiatives resulting from privacy and transparency legislation.
Therefore, the UK provides greater visibility into its traffic camera network located across major cities like London and the national highways.
Depending on the state and location, the US has similar traffic cams that openly disseminate live feeds to anyone over the web.
For example, a live view of New York City’s 42nd Street, Madison Ave, and Hudson River can be seen via Skyline webcams’ feeds. These feeds keep rotating while capturing live roadways and different angles of the area.
When asked what some of the consequences nation-state actors could achieve with these open systems, Mark Sangster, vice president and industry security strategist at eSentire, stated:
“Criminals or state-sponsored actors could use traffic patterns to determine high traffic or stall points to ensure maximum harm is inflicted in an attack. [They can also] maximize the impact of a disruptive attack, such as against traffic management infrastructure.”
For example, in my research, the publicly accessible cameras located around Vauxhall Cross, London, provide live visibility into areas surrounding the famous MI5 building.
Surveillance cameras also exist around notable landmarks, traffic lights, bridges, heritage sites, and monuments.
Former CIA executive Marcus Fowler, who is currently the Director of Strategic Threat at AI security firm Darktrace, shared similar insights with BleepingComputer regarding how closed-source public safety systems can be exploited.
“A strategic attack on traffic lights could cause city-wide disruption. For example, traffic lights could be targeted on the day of an election to cause gridlock and slow people as they travel to the polls. A group of researchers at the University of Michigan was able to control more than 100 traffic light signals in Michigan City with just a laptop and an off-the-shelf radio transmitter,” Fowler told BleepingComputer.
With the recent cyberattacks targeting the healthcare industry, Fowler expressed concerns on how malicious actors could also disrupt the emergency response systems:
“There has been a surge in attacks against the healthcare industry during the pandemic, which leads me to believe cyber-criminals could extend these to attacks to emergency response systems. If attackers can gain control of these systems, they could cause nation-wide chaos and put patient lives at risk,” Fowler continued.
While some of the attacks, such as those on power grids, energy generation systems (think Stuxnet), and IoTs powering “smart cities” may be heard of, there remain less popular targets capable of stark consequences on populations.
Fowler explained, “Port facilities are increasingly compelling targets for attackers, especially given the public’s growing dependency on delivery shipments of goods and the strain already placed on supply chains by the pandemic. If computers at a port facility were to be taken offline by an attack, supplies – including food, medical supplies, or even PPE — may not reach intended destinations.”
Drones, smart vehicles and IoTs
With surveillance technologies increasingly expanding in the form of autonomous systems such as drones, self-driving cars, and robots, what are the security implications of such moves?
According to Stephen Cobb, an independent security researcher based in the UK, the growing use of remotely-controlled and autonomous vehicles for public safety and surveillance opens up a worrying new set of attack vectors and opportunities for criminal abuse.
“A few years ago, I coined the term jackware for a category of malware-based attacks that include hijacking of self-driving cars, but this can also apply to autonomous or remotely-controlled vehicles—in the air or on land—that are deployed for public safety purposes.”
“Just as a police car or ambulance can be turned into a weapon, so can a surveillance drone or security robot. Use of autonomous or remotely-controlled vehicles for public safety is a troubling new attack vector because this technology is not in my opinion sufficiently shielded from abuse,” said Cobb.
Commenting on the state of affairs we have seen in the past two decades, Cobb additionally expressed how cybersecurity efforts are frequently not prioritized for attack vectors like these until grave consequences occur.
“Detailed historical analysis of previous technology deployments strongly suggests that appropriate levels of protection will not be put in place until malicious abuse occurs at scale.”
Public policy documents and social engineering
Often government websites inadvertently make law enforcement, government employee, and standard operating procedures (SOPs) manuals publicly available.
If a malicious actor can obtain a specially commissioned “office use only” helpline number from these manuals and impersonate one of their employees, such as a tax officer or a police detective, they may be able to obtain sensitive information on individuals and case files.
For example, an attacker could spy on a wealthy individual’s finances if they know their SSN. This could be done by impersonating the victim while calling the IRS and requesting tax account information.
Moreover, due to the recent BlueLeaks hack, which exposed sensitive information, there is concern that state-sponsored actors can abuse the data in multiple ways.
“In this case, the group that instigated the hack claimed that it was intended to fight police brutality; however at the same time they released thousands of bank account numbers, addresses, names of victims of crimes, and suspected criminals who were never charged,” said Alexander M. Kehoe, Co-Founder & Operations Director at Caveni.
“The collation of this information could prove incredibly useful to malicious foreign actors or organized crime syndicates. Both of these groups could use this information to whatever malicious ends they chose, all thanks to information exchanges that were meant to police society. A prime example of a public safety system failure that had the potential to cause significant harm to the everyday citizen,” Kehoe added.
In conclusion, technology has provided innovative means to governments in ensuring citizen safety and national security. Still, policies need to be in place so that these very devices and “open information” initiatives are not abused by the adversaries they are meant to defend against.