Worse than Ransomware: Cyber-Terrorism

Yesterday, a new largescale ransomware attack dubbed Petya hit computers all across the globe, disrupting operations in industry sectors and governments alike. The ransomware, similar to the WannaCry attacks earlier this year, demanded that a ransom be paid in BitCoin in exchange for decrypting of a computer’s files. The extent of the damage even reached so far as to disable the Chernobyl power plant’s website, forcing radiation monitoring to be carried out by hand.

One point to mention however – Petya isn’t ransomware.

According to Adam Clark Estes of Gizmodo, experts think that the objective of this attack was not profit, it was chaos. As investigation into the nature of the attacks proceeded, it soon became clear that due to the way it was designed, it would be nearly impossible for the attackers to gain any monetary profit through it. The email supposedly associated with the ransom was taken down by the host, meaning no payment could be received. With no way to pay the ransom, any afflicted machine thus becomes locked without a way out -cyber terrorism disguised as ransomware.

As fate would have it, this attack operates as an improved version of the WannaCry attack, utilizing the same Windows vulnerability -EternalBlue. Despite the media proudly announcing that a “cure” or “kill-switch” to the WannaCry attack was discovered, the same weak point was exploited, showing once again how truly unprepared the world is for sophisticated cyber-attacks. According to CNNtech, even Ukraine’s Cabinet of Ministers was hit by the attack.

The failure of the world to defend itself from such an attack is an embarrassment. The logical shift to dealing with cybersecurity is not being made often enough, with so many governments and corporations still not realizing that a system cannot last long without updating. Failure to update operating systems and software leads to situations like this, where old vulnerabilities remain exploitable by hackers. For the societies of the future, in which the integrity of every IoT-connected device is necessary, the ability to keep software equipped with the latest security solutions is paramount.

This reality is the driving motivation behind the development of Trillium’s SecureOTA platform, designed to swiftly and seamlessly update security measures on devices as often as needed. Such functionality is key to ensuring the long-lasting effectiveness of any security system, for as the saying goes, “Fool me once, shame on you. Fool me twice, shame on me.”

Trillium Inc named to Gartner’s Cool Vendors in Security for Technology and Service Providers, 2017

TOKYO, June 23, 2017 – (ACN Newswire) – Trillium Inc, a leading provider of IoT automotive cyber security solutions, has announced it was named as one of Gartner’s “Cool Vendors in Security for Technology and Service Providers, 2017”, a report by Ruggero Contu, Lawrence Pingree, Deborah Kish and Dale Gardner of Gartner Inc (Published: 4 May, 2017).

“It is a unique honour to be named a Gartner Cool Vendor 2017,” said David Uze, President and CEO of Trillium Inc. “As a designer and provider of multilayer, adaptive and custom Cyber-security systems, we are on a mission to solve the biggest threat facing society due to the roll out of autonomous driving vehicles: car hacking.”

Gartner’s Cool Vendor Reports aim to identify companies with the potential to bring about paradigm shifts that stand out because they offer some disruptive capability or opportunity. Trillium Inc was named a Cool Vendor 2017 because, as the report says, it is “pioneering new directions and potential opportunities in the security market.”

The information provided in the report is of value to all technology and service providers looking to partner with providers of innovative security solutions.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Trillium Inc is a designer and provider of custom, multilayer adaptive Cyber-systems, specialising in vehicular and transportation applications for the vehicles of today and tomorrow. Founded in 2014, Trillium is led by a team of executives and engineers from Japan, Europe and the U.S. with extensive experience in automotive, cyber security, embedded systems and IoT.

Trillium’s products and services deploy a software-based suite of cybersecurity tools to protect automobiles and IoT connected devices from cyber-attack, around the globe. Trillium is backed by lead investor Global Brain, a Tokyo-based venture capitalist. To learn more, please visit www.trillium.co.jp.

For questions and to arrange executive interviews, contact pr@trillium.co.jp

Cars and the People: Government Urges for Automotive Cybersecurity Policies to Address Hacking

The car of today processes a staggering amount of information every day. Nearby pedestrians, wind speeds, outside temperature, the list goes on. In addition to these environmental variables, however, modern cars also have access to a host personal data – that of its passengers.

From the time of connecting our phones to our cars via Bluetooth to play our favorite music, our cars have had a connection to those devices that hold so much information about our lives. The extent to which our cars consider our tastes has gone even further than music, however. As connectivity in vehicles increases, so does the access that they have to the details of our personal lives. The convenience of having this data available to one’s car is undeniable, such as making purchases with stored Credit Card data on the go or mapping the route to one’s friends’ houses; the benefits of connectivity are clear, but in the wrong hands this data can be a dangerous weapon.

A direct result of this possibility is the increase in discussion concerning the liabilities of protecting customer from connected car risks. Automotive OEM and Tier 1 suppliers, as well as legislation bodies have had to consider this reality for the future, as the amount of data cars will be privy to is expected only to increase over time.

According to a post by David McCabe of Axios, legislators from both sides of the United States’ political spectrum have expressed concern for this issue, featuring quotes coming from both Democratic Massachusetts senator Ed Markey and Republican Oklahoma senator James Inhofe regarding the future of cyber-security in cars. In order to effectively develop regulations ensuring the security of private information, legislators will need to consult bodies such as the SAE (Society for Automotive Engineers) and companies working on the frontier of automotive cyber security like Trillium. Considering the scale of damage that could be caused by hackers if left unchecked, no time should be lost in the preparation of a preemptive defense strategy.

The Cost of Complexity

Four thousand gigabytes. To even the average person, those numbers represent an enormous amount of data, more than most people can even think of using up in over a year. Most commercially sold computers often come with no more than 400 GB of storage, and in many cases that much is enough to last the device’s lifetime.

What then, can be said of a device that consumes 4,000 GB of data -per day, every day?

The device in question is the car of tomorrow. In the January 2017 issue of the SAE’s (Society of Automotive Engineers) magazine, predicted figures for the amount of data an autonomous car would have to process were given, with features such as the cameras, sonar, and lidar components of an autonomous car processing up to 70MB per second.

The processing of this staggering amount of data is no easy feat, and no doubt the autonomous vehicles of tomorrow will dwarf the cars of today in complexity. That being said, according to Nicole Perlroth of the New York Times “Today, an average car has more than 100 million lines of code. Automakers predict it won’t be long before they have 200 million.” Truly, the car of today is closer to a super-computer than the mechanical transportation device it originally began as.

The future of self-driving cars brings with it a whole array of benefits, but the devil is in the details – or in this case in the sea of code giving these cars their remarkable abilities. Immediately following the prior quote, Nicole says “…on average, there are 15 to 50 defects per 1,000 lines of software code, the potentially exploitable weaknesses add up quickly.” The message here is clear – the cars of today, and more so the future, are full of vulnerabilities. With the sheer number of lines of code present in their systems, the possibility of producing error-free automotive software is nigh mathematically impossible.

The typical target in vehicular cyber-attacks is therefore the code rich infotainment unit. To run the computing heavy multimedia and mapping applications handles by the module, fully fledged software is required, which due to its complex nature is prone to code bugs and defects.

A compromised infotainment unit is only the entry port. Due to the interconnected nature of vehicles, once hackers gain control of one edge node the entire network can be lost. Giving hackers easy control of all vehicular functions – including steering, breaking and acceleration.

The fact of the matter is, neglecting cyber security in vehicles is no longer an option. With every sensor in a car a potential attack surface, and the number of sensors on the average vehicle only expected to increase, more care needs to be put into ensuring their integrity. A single-faceted defense falls short too, with the unfortunate reality of cyber security being that there is no panacea, no one-trick-beats all solution to stopping cyber-attacks. Without a multifaceted, multi-layer cyber security approach the cars of tomorrow are doomed to devolve into unmistakable targets for malicious hackers, putting the lives, information, and privacy of riders at stake.

The Invisible Battle: Understanding the Differences Between Traditional and Cyber Defense

To the average company’s Chief Information Security Officer (CISO) , the importance of strong cyber security is a given. Due to its physically invisible nature however, it is often difficult for those not directly involved with the development and/or maintenance of a cyber defense system to properly comprehend its significance.

In addition to its invisible nature, the way cyber-attacks are conducted adds confusion for those not knowledgeable in the subject. As Alex Blau of the Harvard Business Review puts it: “The problem with these mental models is that they treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is. No matter how fortified a firm may be, hackers, much like water, will find the cracks in the wall. That’s why cybersecurity efforts have to focus on risk management, not risk mitigation.”

The fundamental difference being highlighted here, is that cyber defense is a process that must be constantly monitored, constantly kept up to date with updates to ward of the latest threats, as they appear. It is not enough to simply enact countermeasures and leave them in a static state –  assuming they will always suffice to keep your data safe.

This important distinction is one of the driving motivations behind the design and architecture of  SecureOTA, the over the air updates piece of our SecureIoT suite. In an environment where new, undocumented cyber-attacks can occur at any time, the need for a fast-responding, always up-to-date security system cannot be neglected.

This critical functionality has been shown to have lasting benefits in the cyber security realm, as was seen at the time of a Tesla model S exploit back in 2015. According to Wired, while Fiat Chrysler was forced to recall 1.4 million cars due to a cyber exploit in the same year, Tesla was able to remedy a similar issue with little more than a software update.

A cyber security system is to a castle as updates to the system are provisions. While rather pessimistic, the reality of cyber defense is that every castle is under siege, and without the constant support updates provide, collapse is inevitable.

Safety Compromises in Cars: What we Gain in Risks in Exchange for Autonomy

The coming age of autonomous vehicles offers much in the way of improvements to the lives of people today. Not only are the vehicles safer for those inside the car as well as those outside, but they are also easier to use. Autonomous vehicles open driving to a new category of users that previously were unable to drive. The biggest advantage however will be the massively increased safety that this revolution will bring.

Human error will be a thing of the past, with dependable onboard systems ready for any condition, handling all maneuvers. This leap in safety will naturally lead to lowered car insurance premiums, with experts predicting the move to full automation lowering insurance costs by almost half.

However, as has been seen in other industries across the globe, the move towards more sophisticated technology also brings with it dangerous problems. In an article published by The Times last week, David Williams, Axa Insurance’s technical director expresses that ransomware could very well come to vehicles next. The recent WannaCry attacks have instilled a fear in those afflicted by it, with this shift in public opinion of cyber-security being reflected in the jump in stock prices for companies in the industry. The threat of loss of data and/or company secrets is indeed ominous, but the damage potential of a car hack would be seen immediately, and with unpredictable consequences. Civilians can be stranded, delivery trucks stalled, and horrifyingly, emergency response vehicles could be prevented from reaching the places they are needed. And that’s only if the hack simply stops the vehicle. Far worse – car hackers could easily use compromised vehicles for massive terrorist attacks.

The problem is no longer limited by proximity to the vehicle either. The widely known hack of a Jeep Cherokee in 2015 demonstrated that hacking cars remotely is no longer science fiction. This dreadful reality has even made its way into popular culture, with one of the most iconic scenes of the recent blockbuster Fast and Furious 8 featuring a large-scale car hack. With the cars of tomorrow being as interconnected as any part of an IoT network, the risk for such a remote, malicious hack increases exponentially if dynamic security measures aren’t implemented.

The current techniques used for PC and server cyber security simply don’t have the fortitude to match the scale of IoT risks, with every device being a potential gateway for more sensitive devices, like phones, computers, or cars.

As the speculations and warnings turn to reality, the world will need to adjust itself to combat the threat that is malicious hacking. It will not be long before all legislation relating to automobiles has cyber-security aspects integrated into it, and likewise, insurance firms will adapt their policies in tandem too.

Least Priority = Most Damage, The Flaw of Underestimating IoT Cyber Security

“While traditional cybersecurity has grabbed the nation’s attention, IoT security has been somewhat under the radar, even for some companies that have a lot to lose through a breach”

These are the words of Stefan Bewley, the Director of strategy consulting firm Altman Vilandrie and Company. The unfortunate truth behind the IoT solutions boom is that not enough companies are taking securing it seriously enough.

The International Business Times published an article Sunday addressing this perilous lack of focus when it comes to the security of the increasingly convenient Internet of Things in the industry sector. Despite the fact that industrial IoT integration is only expected to increase in the coming years, companies are still failing to take precautions against the damage that a cyber breach can cause. What many companies are failing to realize, is that as they continue to develop internet-enabled technologies to further the efficiency of their businesses, the amount of destruction a malicious cyber breach can cause increases in tandem.

Roughly 68 percent of companies recognize that IoT security is a distinct category of security.  However they fall short when it comes to actually allocating resources to properly deal with it, because only 43 percent have independent budgets for it. This negligence has proven disastrous for some businesses, with damages caused by cyber breaches ranging from almost $5 million in smaller firms to nearly $2 billion in larger ones. On a global scale, the stakes of the IoT game are not being taken seriously enough, a thought pattern that is wholly unwise and surely unsustainable in the long term.

Without a holistic approach to security, no IoT can ever truly be secure. Every smart watch, wireless heart monitor and WiFi camera connected to a network becomes a potential entry point for an attacker. The intellectual awakening that the businesses of today need to undergo is, unfortunately, still far-off. Without companies like Trillium are dedicated to spreading awareness ofthe need for security in any IoT setting, be it business or personal, IoT development is just a figurative time bomb that grows larger every year. Until the world moves on from traditional IT security and embraces the coming IoT revolution, we may as well be trying to lock a gate with a safety pin.

Wheels of Steal: The True Consequences of a Car Hack

If you thought cars were only hacked by security researchers for white hat purposes, then the topic of today’s blog may come as a surprise to you. Just recently, members of a notorious Mexican motorcycle gang accused of hacking and hijacking at least 100 Jeeps over the last two years have been arrested. Unlike common car hijacking schemes, however, the crimes perpetrated by the group made heavy use of sophisticated hacking tools to exploit cyber security flaws in the Jeeps.

Explored in great detail both by Bleeping Computer and Gizmodo, the key to the successful hacks was the gangsters’ exploitation of an unguarded computer system. While “old school” tricks such as disabling the vehicles’ lights and alarm through the hood were also used, an instrumental step in the hijacks was the manufacturing and programming of replacement keys for the cars.

By gaining access to an unsecured database of vehicle identification numbers (VIN) hackers were able to access OEM provided instructions on how to generate physical replacement keys, as well as a software code with which to program those keys to pair with the compromised vehicle.

The degree of efficiency to which these heists were carried out is astonishing – the entire hack took less than two minutes. Once the thieves had the code needed to reprogram the Jeep with a computer, the car was helpless to resist the counterfeit key.

After hackers gained full control of the vehicle, it was taken from the US to Mexico where it was either sold or scrapped for spare parts. The gang was able to perform this stunt over 100 times in the span of two years before its members were caught. That these crimes continued for so long is clear evidence of how far behind manufacturers and law enforcement are when it comes to automotive cyber-crime.

Stories like these emphasize precisely why the work Trillium does is so important. With the publicity now being given to these gangsters, the chance of copycat crimes springing up around the world is exceedingly high. Hacking cars in order to steal or otherwise exploit them is no longer a work of science fiction; on the contrary, it is real and happening right now. Thus, the longer this issue is denied its due attention, the worse the consequences will be for consumers, their automobiles and the entire transportation industry alike. Accordingly, until multilayered cyber security systems are widely deployed, hacks like these will not only continue without impediment, they will likely also become increasingly prevalent.

The Hole in the Dam that is IoT: A Lack of Security

As unlikely as it would have seemed ten years ago, cyber systems are steadily bridging their influence into the natural world in ways never imagined possible. Even those seemingly uncontrollable aspects of nature, natural disasters, will no longer be free from the ever-evolving reach of technology.

According to Tech Central, the Dublin City Council is looking to implement the Internet of Things devices to help monitor water levels in flood-prone areas. Flood damage to Dublin’s infrastructure averages to about €8 million per year, a cost that will hopefully be mitigated by upgrading the techniques used to analyze water levels. Knowing where water is rising fastest, as well as how fast, are key metrics in judging how well emergency personnel can respond to a dangerous situation. In addition, because of rising sea levels and increasing amounts of rainfall over the past few years, it is projected that flood risks will continue to become an even bigger threat than they are now.

While integrating the technology of IoT into public safety can have huge benefits for the city, it would be naïve not to consider the extra precautions that must be taken when using such a system. For a system in which a single failure can result in catastrophic consequences such as a flood monitor, it goes without say that said system must be impervious to defeat. This includes protection from being hacked.

According to an article by Mike Iliopoulos of the Denver News, the city’s tornado warning system was hacked in early April, causing the sirens to simultaneously blare for over an hour and a half. The hack was done remotely, and forced the city to upgrade the encryption on the warning system. The lesson to be learned comes not from the outcome of the hack, but the potential for even worse damage in a similar scenario.

While what happened in Denver was little more than a prank, the real-world damage that could be caused by the disabling of an emergency warning system in a time of need could be catastrophic.

Governments and industries are quick to jump to IoT solutions to improve the conditions in which they work, but the reality is that IoT without security is a dangerous gamble. The need for security is not only present in those critical systems, but also on any device that would be in the same network. Any end node can quickly become a weak point if not defended properly, and once a hacker has gained access to one entry port the entire network can be compromised.

The need for cyber security has never been greater – Trillium’s mission as a company and the passion of our team is to provide security for these vulnerable networks.