Contact person
Tomas Bodeklint
Affärsutvecklare
Contact TomasThere are now more connected devices than people on the planet. The Internet of Things (IoT) is an important part of the digitalisation of society. But it also opens new doors for cybercriminals. For manufacturers of smart products, it's a matter of finding and closing the back doors – before the end user is harmed.
The washing machine that tells you when electricity is cheapest, the industrial robot that tells you when it's time for maintenance, and the security alarm that tells a worried relative where an elderly parent is. IoT is everywhere, making our everyday lives better, easier and cheaper...
But in reality, the technology is also creating security gaps large and small in our homes, cities, industries, agriculture and transport.
Tomas Bodeklint, Research and Business Developer at RISE and responsible for the institute's Cyber Test Lab test and demonstration environment, explains how an ordinary office printer can be used as a tool for a large-scale hacking attack:
"Cybercriminals scan the Internet for unprotected devices. When they find a connected, unprotected printer, they implement software that allows them to use the printer for purposes other than those for which it was intended. It can become part of a 'botnet', an army of devices that work together to launch denial-of-service attacks. In this case, the infected IoT devices are used to bring down specific servers.
The Swedish Defence Research Agency, FOI, was commissioned by the Swedish Civil Defence Agency, MSB, to map the risks of IoT. One of the conclusions was that much of the IoT equipment has been designed without security in mind*. Tomas Bodeklint believes there is a simple explanation for this.
"A big part of the problem is that many IoT devices must not cost too much for the end user. Manufacturers focus more on functionality and ensuring that a product does what it is marketed to do, rather than ensuring security. This is an issue that has become more acute as cybercriminals and state-sponsored actors use digitalisation to influence society in different ways," says Bodeklint.
The threat has been addressed at EU level, with the Radio Equipment Directive and the forthcoming Cyber Resilience Act (CRA) in the Union's toolbox of countermeasures, which together cover all types of products that contain some form of software. The aim is to prevent devices with security vulnerabilities from reaching consumers.
"Manufacturers need to consider cybersecurity at the design stage. It is often difficult to add security features after the fact. A good start is to review the threat landscape for your product and analyse the risks and possible attack vectors. Then you can apply various solutions to prevent them, such as encryption and multifactor authentication," says Tomas Bodeklint.
Plugging a hole is not enough. Hackers are always finding new ways in.
RISE helps companies with this type of threat and risk analysis and conducts penetration tests to find weaknesses in IoT products. Among other things, vehicles and charging points have been examined to identify potential security holes. Electromagnetic compatibility (EMC) was also measured. The latter tests whether the electronic product interferes with or is interfered with by other devices and equipment in the vicinity.
"We have seen it in the past, and we are seeing it now, that the electronics in a car are affected by radio interference. If you haven't thought about EMC issues before, consider the following scenario: your children are in the back seat watching a children's programme on their tablets and suddenly the car crosses the road. Or you're sitting in a traffic jam talking on the phone when the car accelerates into the car in front of you. The more automated the technology in the car, the more complex the risks become," says Tomas Bodeklint.
"The car is one example of many connected products that have a positioning function. This also increases vulnerability. MSB has identified 'antagonistic electromagnetic threats' to the satellite navigation system as an emerging risk. In the winter of 2023/2024, several jamming incidents were reported in Sweden, with Russia identified as the source."
"We help the industry with positioning in their products with simulated spoofing and jamming tests - jamming and deceiving the GNSS signals (see box). "This type of testing will of course become increasingly important as we move towards fully automated driving," says Mr Bodeklint.
There have long been requirements for electronic products to be electrically safe to prevent people from being injured. In addition to an overarching legal text, rules and standards have been added to describe how this should be ensured.
"In the future, we will need legal requirements, methods and structures to ensure cybersecurity in all areas. At the same time, we need to raise the level of knowledge. It is not just the engineer building a product who needs to think about security in the design phase, but the whole organisation needs to think about cybersecurity all the time. And plugging a hole is not enough. Hackers are always finding new ways in," says Tomas Bodeklint.
*Sources: Swedish Defence Research Agency, FOI. https://www.foi.se/nyheter-och-press/nyheter/2018-10-08-sakernas-intern…
Swedish Civil Defence Agency, MSB. https://rib.msb.se/filer/pdf/29057.pdf https://rib.msb.se/filer/pdf/30061.pdf
INTERNET OF THINGS - THE TERMS TO KNOW
The Internet of Things (IoT) is a concept in which physical devices are connected to the Internet and can communicate with each other and send and receive data. By integrating sensors and smart technologies into everyday objects, IoT can enable the automation, monitoring and streamlining of various processes and systems.
Botnets are like an army of computers, phones or other devices that have been hacked or infected with malware without their owners' knowledge. These devices can be controlled by an attacker to spread viruses, send spam or launch attacks against websites or other computers.
GNSS, Global Navigation Satellite System, is a collective term for satellite-based navigation and positioning systems. The best known of these is the GPS system.
Spoofing is a type of attack in which an attacker creates false signals to trick recipients into believing they come from a legitimate source. This can be used to disrupt navigation devices or to mislead people or systems.
Jamming is an attack in which an attacker sends jamming signals to overload or disrupt communication between the sender and receiver. For example, a jamming attack can be directed at a GNSS receiver to block or distort signals from the satellites.