Experts fear risk to Smart Nation projects from hardware flaws

The two flaws dubbed Meltdown and Spectre - initially found in chips designed by Intel, Advanced Micro Devices (AMD) and ARM - were discovered last year but made public only on Jan 3.
The two flaws dubbed Meltdown and Spectre - initially found in chips designed by Intel, Advanced Micro Devices (AMD) and ARM - were discovered last year but made public only on Jan 3.PHOTO: AFP

They worry hackers could launch attacks by planting malware in autonomous vehicles, surveillance cameras

Security concerns loom large over Singapore's Smart Nation projects following the disclosures two weeks ago of major hardware flaws in almost all computers and smartphones worldwide.

Security experts fear that the flaws - which affect more hardware than initially thought - would allow hackers to commandeer fleets of autonomous vehicles and surveillance cameras that are being rolled out as part of the Smart Nation initiatives.

But these initiatives will carry on, the Smart Nation and Digital Government Office (SNDGO) told The Straits Times. "There are no changes to our plans," a spokesman said.

The two flaws dubbed Meltdown and Spectre - initially found in chips designed by Intel, Advanced Micro Devices (AMD) and ARM - were discovered last year but made public only on Jan 3.

They allow hackers to access a computer's memory and steal passwords and confidential documents.

"The flaws can also be exploited to plant malware in autonomous vehicles and Web cameras to launch sophisticated targeted attacks on critical infrastructure," said independent global cyber-security expert Aloysius Cheang.

These fears are not unfounded. On Jan 5, Nvidia, which works with several self-driving carmakers, joined the list of affected chipmakers when it issued software fixes for its graphics chips.

Insisting that its chips are immune to Meltdown and Spectre, Nvidia said it is updating its software drivers because they interact with potentially vulnerable processors.

Mr Tony Jarvis, chief strategist at security software firm Check Point Software Technologies, said: "The list of affected chips and products is growing; and it is far from a small number of companies."

History shows that cyber attacks involving the Internet of Things (IoT) like self-driving cars and Web cameras are possible. The first of such attacks was caused by the Mirai malware, which reportedly infected some 100,000 Web traffic cameras and directed them to take down US-based Dyn's systems in October 2016, resulting in a loss of Internet access for a day on the East Coast of the United States.

 

The regulatory authorities have been slow to lay down rules on how IoT devices should be secured, contributing to the severity of the problem, especially when IoT devices are used on a national scale.

"A lot of these IoT devices are badly designed from the security angle," said Mr Harish Pillay, who heads the community architecture and leadership group at open-source technology firm Red Hat.

"Even in the absence of Meltdown and Spectre, surveillance cameras have unsecured ports and use default passwords that can be easily guessed by hackers. All bets are off until we get a way to certify these devices," said Mr Pillay, who is also on the board of trustees of the non-profit Internet Society.

Web cameras are mostly powered by ARM chips. For self-driving cars, Tesla reportedly works with AMD, and Audi with Intel. Ford, Volvo and driverless car start-up nuTonomy work with Nvidia.

Boston-based and Singapore Government-funded nuTonomy, which has been testing driverless vehicles in one-north since April 2016, had announced plans to roll out driverless taxis here by the middle of this year. It did not reply to queries from The Straits Times by press time.

The SNDGO spokesman said: "The effects of these hardware flaws are still being assessed across the board, by product manufacturers and users alike. We will closely monitor the situation as we continue to take proactive measures to mitigate the cyber-security risks."

Indeed, it may be difficult for some IoT vendors to ascertain whether their products are susceptible to hacking. Take autonomous cars, which comprise multiple systems developed by third parties, for example.

"Often, the ostensible car manufacturer has no idea what is inside the black box that performs a certain function - be it for entertainment, engine control, brake control, central locking, telematics or roadside assistance," said cyber-security firm ESET's senior research fellow Nick FitzGerald.

 
A version of this article appeared in the print edition of The Straits Times on January 15, 2018, with the headline 'Experts fear risk to Smart Nation projects from hardware flaws'. Print Edition | Subscribe