Turns out that it’s easy to broadcast radio commands that force Polish trains to stop:

…the saboteurs appear to have sent simple so-called “radio-stop” commands via radio frequency to the trains they targeted. Because the trains use a radio system that lacks encryption or authentication for those commands, Olejnik says, anyone with as little as $30 of off-the-shelf radio equipment can broadcast the command to a Polish train­—sending a series of three acoustic tones at a 150.100 megahertz frequency­—and trigger their emergency stop function.

“It is three tonal messages sent consecutively. Once the radio equipment receives it, the locomotive goes to a halt,” Olejnik says, pointing to a document outlining trains’ different technical standards in the European Union that describes the “radio-stop” command used in the Polish system. In fact, Olejnik says that the ability to send the command has been described in Polish radio and train forums and on YouTube for years. “Everybody could do this. Even teenagers trolling. The frequencies are known. The tones are known. The equipment is cheap.”

Even so, this is being described as a cyberattack.

Read More

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The Biden Administration has recently announced the implementation of a cybersecurity labeling program for smart devices. Overseen by the Federal Communication Commission (FCC), this new program seeks to address the security of Internet of Things (IoT) devices nationwide. This announcement is in response to an increasing number of smart devices that fall victim to hackers and malware (AP News).

As IoT devices increase in popularity in homes, offices, and other settings, these labels allow consumers to be aware of their digital safety. The cybersecurity labeling program will mandate manufacturers of smart devices to meet certain cybersecurity standards before releasing their products into the market. Each smart device will be required to have a standardized cybersecurity label. Labels will serve as an indicator of the device’s security level and inform consumers about the device’s compliance with security standards. Devices that meet the highest level of security will be awarded a “Cyber Trust Mark,” indicating their adherence to the most stringent security measures.

The program will be able to hold companies accountable for producing secure devices while also giving customers the information they need to make informed decisions while purchasing IoT devices. Examples of IoT devices include smart watches, home assistants, Ring cameras, thermostats, and smart appliances. New technologies such as these have grown increasingly more present in modern life.

However, hackers have continued to exploit vulnerabilities in these devices, which compromise user privacy. These devices also allow hackers to gain entry to consumers’ larger networks. In the last quarter of 2022, there was a 98% increase in malware targeting IoT devices. New malware variants also spiked, rising 22% on the year (Tech Monitor). Compared to 2018, 2022 had more than 3 times the amount of IoT malware attacks (Statista).

Economically motivated attacks have been on the rise, and a larger number of consumers’ personal devices are being breached through IoT devices on the same network. Hackers then hold users’ devices until they are paid a ransom in cryptocurrency to keep the transaction anonymous. This rise in cybersecurity attacks can be contributed to the fact that it has become easier than ever for hackers to target networks. With Raas (Ransomware as a Service) offerings, hackers don’t need any previous cybersecurity expertise, as they can buy software written by ransomware operators. Because IoT devices are often left with default passwords and are easily hackable, they have been becoming a larger target for hackers.

IoT devices have been breached multiple times in the past resulting in leaks for big corporations such as NASA. In 2018, a NASA laboratory was breached through an IoT device added to its network by hackers. Another example of an IoT hack was the Mirai Botnet hack in 2016. Hackers used malware to infect an IoT device, which they later used to infiltrate other devices through a shared network. The malware would then use the default name and password to log into devices and continue to replicate itself.

IoT devices aren’t limited to just small gadgets that play a role in the home. In 2015, Jeep was hacked by a team from IBM, who used a firmware update to take control of the car’s steering, acceleration, and more (IoT Solutions World Congress). Because of electric cars increasing popularity, companies need to be aware of potential security risks that could cause harm to drivers.

After the implementation of Biden’s new program, IoT devices will be vetted and consumers will be shown the safety rating for each of the devices. The cybersecurity rating of each device is determined by evaluations and testing procedures carried out by FCC inspectors. These evaluations will make sure that devices can withstand potential cyber threats and protect users’ private data.

Some methods that hackers often use are brute force attacks, man-in-the-middle attacks, and malware attacks. Brute force attacks involve hackers using programs to repeatedly try to guess a device’s password, man-in-the-middle attacks involve hackers intercepting communications between a device and the internet, and malware attacks are when hackers use malware to take over IoT devices and eventually entire networks (Pass Camp). The cybersecurity labeling program has been highly praised by cybersecurity professionals across the industry. It is an important step towards building a more secure online network while also allowing consumers to make knowledgeable decisions on what they are buying.

However, some critics have voiced concerns about the program. The rapidly evolving nature of technology could lead to a lag in new security standards, which could leave devices outdated in security certifications. To address this, the program is expected to include provisions for periodic reviews to ensure that standards remain relevant and up to date.

In conclusion, the Biden administration’s announcement of the cybersecurity labeling program for smart devices marks a significant milestone in the ongoing efforts to enhance cybersecurity and safeguard consumer interests. Consumers can also make efforts to secure their own devices by using stronger passwords, keeping software up to date, and securing their networks. By incentivizing manufacturers to prioritize security in their product development and providing consumers with transparent information, the program aims to create a more secure and trustworthy environment for the increasingly connected world of smart devices. As the program takes effect, it is hoped that it will foster greater confidence in the IoT industry and encourage the adoption of robust cybersecurity programs across the board.

The author of this blog works at Perimeterwatch.

Read More