[Korea and the fourth industrial revolution <22-1 Security>] A more connected world, with better fences
Hackers appeared to have exploited the bug before the patch was released, and though Instagram would not confirm the number of affected accounts, hackers claimed to have information on six million Instagram users, information that was obtained when users were asked to reset their passwords. The hackers said they had set up a searchable database so that people could dig up each victim’s information for $10 per search. Some of the victims included celebrities like Selena Gomez.
Hong Min-pyo, founder and CEO of the Silicon Valley start-up SEWorks, which specializes in mobile security, said the latest Instagram attack is just one of many cybersecurity incidents with different levels of gravity that could originate from vulnerabilities inside smartphone apps.
“Aside from manipulating or stealing users’ information, hackers can load malicious source codes into an app that can later be used in denial-of-service attacks,” Hong wrote in an email, “and in worse-case scenarios, hackers can intercept revenue generated from cash balances in games or financial apps, dealing massive financial damage.”
Hong, who is touted as one of the world’s top three “white hat,” or ethical, hackers, warned that an app’s source code can also be lifted to create a copycat app, infringing on the original developer’s intellectual property rights.
With smartphones replacing computers in most aspects of our daily lives, from work to play, mobile security has become a critical objective in the tech world, but the level of protection is still spotty. SEWorks conducted its own research into 500 popular free and paid apps on the Google Play Store last year and found that 80 percent of them were susceptible to decompiling, meaning they were vulnerable to hackers.
SEWorks’ latest product, AppSolid, is a cloud-based security solution that developers can apply to their mobile apps. “When our client is done with app development, they log onto our web page, have the app scanned for any vulnerabilities and apply binary protection, a sort of protective coat,” Hong said. “Then the app is ready for launch. No additional coding is needed from the developer.”
As the power and spread of malware continues to grow, with some hackers even selling their services to cybercriminals, global spending on information security is projected to pick up 7 percent from last year to reach $86.4 billion this year and then climb to $93 billion in 2018, according to Cybersecurity Ventures, a market information provider.
Many Korean companies witnessed just how vulnerable their systems were during the WannaCry ransomware attack in May. The malware affected some 200,000 computers across 150 countries and was the worst cyberattack case in history.
Of note, the advertisement servers of retail conglomerate CJ’s multiplex chain, CGV, were affected by the malware, forcing theaters to stop running ads before movies started. The internal networks at a few general hospitals, equipment monitoring servers at local IT service providers and processing servers at some large manufacturers were also victims of the cyberattack.
Connected and vulnerable
The technology of the fourth industrial revolution promises a more connected society, and greater ties also require stronger fences. Information security has now become just a subset of the broader concept of cybersecurity, which encompasses everything from protecting medical devices, biometric information and embedded systems to securing automobiles, airplanes, military technology and other devices that don’t fall under the traditional IT umbrella, according to a report by market researcher Gartner in August.
So-called Internet of Things, or IoT, devices are particularly susceptible to manipulation. The devices by design are meant to openly communicate with each other to make our lives easier, helping us turn lights on and off or check the home temperature with the tap of a smartphone, but since the devices run over Wi-Fi and the product category is in a nascent stage, the devices are filled with security loopholes.
Gartner predicts that by 2020, more than 25 percent of identified attacks on enterprises will involve IoT devices, which can run the gamut from smart televisions and refrigerators to gas valves and electricity meters.
IoT hacks first emerged as a real-life threat in March after CIA documents published by WikiLeaks showed Samsung Electronics’ smart televisions could be used to secretly record conversations in a room and send them over the internet to a covert CIA server. The bug existed on Samsung television released between 2012 and 2013, and Samsung immediately released a patch for the televisions after the leak this year.
Samsung, with its plethora of products that boast IoT functionality, has been stepping up measures to bolster its security system. “Security has become a top priority now that we have entered an IoT age,” a Samsung spokeswoman said, adding that while Samsung has maintained a low profile on security, the company is not treating it as any less important and working on the issue routinely.
In May, the tech giant quietly scouted Ahn Gail-joon, a professor of computer science and engineering at Arizona State University and renowned security expert, to head the security team at its software center in the semiconductor division. Three months later, the software center hosted its first hacking competition for white hat hackers in the fields of attack, defense, coding, algorithm and reverse engineering, with a reward of up to 80 million won ($70,810) and a spot in the company.
Earlier this month, Samsung said it would expand a “bug bounty” program that it has been running since 2012. The program rewards individuals with cash for reporting vulnerabilities in its smart televisions. Samsung plans to double the bounty to $200,000 and expand the program’s coverage to other products, including mobile devices like the Galaxy S, Note, A and J as well as software like the virtual personal assistant Bixby and payment system Samsung Pay.
Global tech giants like Microsoft, Facebook and Google have been operating similar bounty programs; Samsung is the only company in Korea to do so. However, domestic enterprises are stepping up their security enhancement efforts.
SK Telecom, which has been ratcheting up its IoT business, is taking the lead, partnering with other tech firms like LG CNS, start-ups and academics to analyze vulnerabilities in its devices and propose regulatory guidelines to the government.
Cyber threats to industry
Beyond the consumer level, successful hacking attempts at manufacturing facilities have relied on vulnerabilities in IoT devices. These interruptions can cause malfunctions in the manufacturing process and deal a massive financial blow.
In 2014, hackers targeted a steel mill in Germany by manipulating and disrupting its control systems and prevented a blast furnace from properly shutting down, resulting in great damage at the facility. It still remains unclear whether the hackers intended to cause physical destruction or the accident was simply collateral damage.
Gartner estimates that by 2020, at least one major safety incident per year will be caused by an IT security failure, leading to significant injury. “It is easy to imagine a scenario that an IT failure could have a physical safety outcome,” Rob McMillan, research director at Gartner, said in a June report. “The increasing complexities of connections means things and infrastructure with different levels of security are now interacting. It will be difficult to predict the risk that will arise.”
With more factories adopting IoT devices in their manufacturing, Penta Security Systems, a 20-year-old security software provider based in Seoul, jumped into the fledgling field of smart factory security solutions this year. The company provides encryption modules in both software and hardware form to improve the security of IoT devices in smart factories.
“Smart factories have gained attention globally for their ability to innovate manufacturing process,” said Frank Han, chief evangelist at Penta Security Systems. “Collecting, monitoring and controlling manufacturing process-related data is crucial, but also important is guaranteeing that the data available is not intercepted and counterfeited. That’s where the need for building an optimal security system designed to block network attack comes from.”
Tackling public threats
The Korean government has only recently begun to address IoT security threats. Last year, the Ministry of Science and ICT released broad IoT security guidelines and followed up recently with more specific recommendations for how companies should cope with vulnerabilities in smart home devices and appliances. But the guidelines do not carry any legal obligations from manufacturers’ side yet.
“We are in a toddler status when it comes to IoT security,” said Park Chang-youll, head of the IoT security technology team at the Korea Information Security Agency. “The previously predominant view was that reinforcing security features from the early stage of product development could slow down and even hamper the process. Only since 2014 has the government been gradually aware of the importance of security-related policies.”
Kim Seung-joo, a professor at Korea University’s Department of Cyber Defense and Graduate School of Information Security, argues that authorities in Korea should upgrade their understanding of overall security issues.
“There are only three Korean security firms listed among the top 500 in the world,” he said. “It is high time that the government move away from thinking security is merely about personal information leakage or web page paralysis.”
Kim was referring to the Cybersecurity 500 index from Cybersecurity Ventures, an industry information provider, which showed three Korean companies among the 500 most innovative companies in cybersecurity during the second quarter this year. The three companies were AhnLab, a 22-year-old antivirus software developer that ranked 104th; SEWorks, which placed 363rd; and Fasoo, a 17-year-old data security firm that captured 460th.
The 500 companies were from 136 countries, with 120 of them coming from Silicon Valley. Twenty-two came from the Asia-Pacific region, and that figure represents a twofold increase from last year.
“Korea has low awareness of security, and even related industries tend to find one-time solutions after an incident occurs rather than consistently implementing preventive measures,” said Hong of SEWorks. Even if any security failures take place at a certain company, it faces few legal liabilities, and the level of penalties including fines is lower than in other advanced countries like the United States. Hong recommended the government amend regulations to require better security from tech companies.
The range of products connected to the internet is growing, and automobiles have been getting some of the biggest hype. By IHS Markit’s estimates, over 112 million connected vehicles are running on roads worldwide. New technology is turning cars into computers on wheels, as more vehicles are embedded with special-purpose computers known in the industry as electronic control units.
Today, a car typically carries 50 to 60 electronic control units and more than 80 microprocessors, and electric vehicles have much more. That means each of these electronic components - the engine, transmission, sensors, GPS, radio or climate control - can serve as a gateway for hackers to get into one’s car. They may easily locate a car’s location or break into one of numerous controls.
A legendary demonstration in July 2015 by two security researchers, Charlie Miller and Chris Valasek, of a hack into a 2014 Jeep Cherokee SUV showed how they were able to access the vehicle’s computer system and then rewrite the firmware to plant a malicious code that makes it possible for them to take control of the car. They were able to remotely control air-conditioning, steering, brakes and transmission, and the scene of the car’s remotely disabled brakes - sending it careening into a ditch - delivered a shock wave across the globe.
In response to the researchers’ demonstration, Chrysler recalled a whopping 1.4 million units of the hack-prone Jeep.
With autonomous driving likely to be commercialized as early as 2025, the dangers of leaving vehicle operation to a computer will only multiply. “Cybersecurity will be one of the toughest challenges that the auto industry will face in the next decade or two,” said Colin Bird, a senior analyst of connected car consumer insights at IHS Markit.
The main approach to address the growing problem is developing and installing multiple cybersecurity software programs to protect key electronic control units. One Korean start-up, Fescaro, has developed security software that automakers and parts suppliers can embed in their electronic control units. A start-up working in car security is a rarity within Korea, where some 150 start-ups are engaged in security but few of them have shown distinguished accomplishment in the international arena.
Hong Seok-min, who founded Fescaro last year, says automotive security has a high barrier largely because it requires knowledge in both cars and information technology. Mainstream carmakers have been hiring an increasing number of electrical engineers and IT specialists. A former engineer in charge of electronic control unit security at a Hyundai Motor affiliate, Hong underscored the importance of keeping cars secure, saying, “A single hack of a vehicle could claim human lives, the worst-case scenario one can imagine.”
Outside of Korea, over-the-air security is coming into force with Tesla cars receiving software updates over the internet. Escrypt, a subsidiary of Bosch, the leading car parts supplier, is gearing up to provide security capabilities to cars via wireless networks. General Motors also announced recently that it would begin delivering updates to vehicles over its wireless OnStar network. In the longer run, integral electrical architectures within vehicles will be designed from the ground up with cybersecurity in mind, IHS predicts.
Cybersecurity threats on a larger scale affecting critical infrastructure are not unimaginable, either. Last year, dozens of South Korean vessels suffered a GPS jamming that was serious enough to force them back to port. North Korea is accused of masterminding the jamming.
A more terrifying example of cyberterrorism was detailed in a June report by the British American Security Information Council. The London-based think tank said a successful cyberattack on the United Kingdom’s nuclear submarines could “neutralize operations, lead to loss of life, defeat or perhaps even the catastrophic exchange of nuclear warheads [directly or indirectly].”
Professor Kim of Korea University said significant attention is needed to the imminent threat of weapons connected over the network, especially given today’s dynamic security landscape involving North Korea and the United States.
“Unlike traditional weapons, the latest series of weapons in development are connected wirelessly for navigation and are powered by artificial intelligence,” he said. “These ‘cyber weapons’ are never free from cyber intrusions. It’s high time that South Korea upgrade its overall cyber defense system encompassing development, procurement, operation and evaluation of weapons, which has long remained in old form.”
In the face of escalating military tensions, U.S. President Donald Trump in August elevated the status of the Pentagon’s U.S. Cyber Command to help spur development of cyber weapons to deter attacks, punish intruders and tackle adversaries.
BY SEO JI-EUN [email@example.com]