Hold on security services (and angry parents), it should be noted that this is a hypothetical attack. No elves or reindeer have been harmed in the production of this article.
Felix and Alex from You Gotta Hack That (they preferred that we didn’t use their second names – the naughty list and all that) worked out how they could go about a Santa-based cyber attack starting on the North Pole toy production line, right through to the sleigh’s Sat-Nav.
“A tricky client, who turns out to be the Grinch, has asked us to find ways to secretly disrupt Santa’s supply chain and deliveries,” they explained in their podcast.
Their “brief” was for cyber physical effects to cause disruption and slow down the whole production process, but they had to be subtle enough to not be noticed.
“Yes it’ll hit the news, but not because it’s a suspected cyber crime,” they added.
The MediaCity-based company specialises in Internet of Things and Operational Technology penetration testing, and the serious message behind it is how hackers can access operational technology (OT) and IoT to cause a major impact on a business, sometimes without the company actually realising anything is wrong.
Before going into details about how he’d mess up Christmas, we asked Alex how realistic and common this kind of attack was.
“This is a really difficult question to answer because by very nature, we don’t know about attacks that we haven’t detected. When you think about the amount of time and effort it takes to launch such a subtle attack, it also makes you wonder whether an attacker has done all the prep and are simply waiting for the perfect moment in time to strike in order to inflict the most amount of damage,” he explained.
“In this profession it is very easy to see all the cyber security problems that exist – and there are utterly huge numbers of issues – but if this is the case why is the world not on fire? I believe the answer is that it takes a sustained effort from someone with a high level of skill to be able to achieve these effects and frankly, there aren’t that many of us around. In the last week or so NATO has warned that we all need to move to a war-footing and explicitly called out cyber-attacks as part of that, so maybe the world isn’t on fire but maybe the cyber attacks are smouldering instead?”
Back to the Christmas hack. They explain how you can “muck around with the ‘ingredients’” so when the elves are building toys, they find out that one bit doesn’t fit another bit, because the hackers have changed the specifications. But it’s subtle enough that they think the work’s department got it wrong, or it’s an IT issue. So it just looks like “the wrong part turns up for the right reason.”
Even into distribution and delivery, they examine how you could mix up address lists or coordinates, so that Santa needs to revert to old-fashion navigation – presumably Rudolph’s nose – rather than hi-tech satnav. Therefore, potentially missing chimneys, but definitely slowing down the process.
Furthermore, false safety alerts could be triggered on the sleigh, meaning the team no longer trust its systems.
Just in case that doesn’t work, You Gotta Hack That also considers hacking into the home IT systems of key workers, so they’re distracted from their key tasks; and even stopping food deliveries for reindeer so they’re tired and slow.
“I try to encourage organisations to think about how interesting they might be to a potential attacker,” continued Alex.
“This needs to be done with a more than just a fleeting thought too. Often the 2nd and 3rd order effects are the ones that are the most subtle. It isn’t as simple as ‘we only make widgets, so we aren’t interesting.’
“The question you should be considering might be ‘Do our widgets get used to make parts that go into a product that gets used by an organisation that an attacker would be interested in?.’
“Hopefully this demonstrates the potential for a layered attack profile where poking something in one area can have unexpected influence somewhere else that is seemingly disconnected. When you combine this subtle form of impact with the common lack of cyber security in organisations that assume they don’t matter, you end up with a really attractive target.”
To find out why they probably were on the naughty list this year (but have undoubtedly hacked it), you can listen here.
