Canada's Spies Are Losing Sleep Over Smart Fridges

Documents show a top Canadian intelligence official listed the Internet of Things as a major fear.

|
Oct 7 2014, 9:00am

After pesky leaks, traitors, and Chinese hackers stealing Canadian intellectual property, Canada's intelligence community is also worried about the advent of smart fridges and wifi-enabled alarm clocks.

Documents obtained by Motherboard under the Access to Information Act show one of Canada's top cybersecurity officials discussing concerns around the Internet of Things—and the potential for hostile actors to exploit Canadian government infrastructure.

In speaking notes from a February 2014 address to the upper brass of Canadian intelligence agencies at CSIS headquarters, Robert Gordon—a special advisor on cybersecurity for the department of Public Safety—outlined his "new and emerging threats, and relevant technologies" for Canadian cyberspace.

Related: Canada's Spy Agency Partnered with Quebec's Hackfest to Recruit New Hackers

"I was asked by the Conference organizers to comment on things that keep me up at night," he said, conceding that luckily it's the responsibility of CSIS and CSEC to carry most of the burden of intelligence concerns. Nonetheless, Gordon said "while we have made significant progress there is still much to do."

CSEC headquarters in Ottawa. 

"Some are new and emerging challenges," he said, before giving examples of the security exploits keeping him from a good night's sleep, including "the adoption of mobile computing… the move to the 'Internet of Things.'"

Some of Canada's top spies were privy to the address at the joint meeting of the Council for Security Executives, including the director of CSIS and an assistant deputy minister from CSEC.

In July, one CIA official expressed his own concerns surrounding the rise of the Internet of Things as a new frontier for cyber espionage. The thinking is, with the growth of networked objects, spies, and other types of hostile agents have a number of new wifi-enabled platforms to exploit government or domestic computer systems. Before, hackers were confined to routers and laptops—now they can target wrist watches, smart microwaves, and whatever else to gain access to networks. 

In his opening remarks, Gordon said "the Internet has become the place where we work and live" and that it's "a place under attack." Part of those attacks, he inferred, were from foreign hostiles. Gordon added that countries with strong cybersecurity standards are "considered a safe place to invest and develop digital e-commerce."

Under those terms, Gordon said it was incumbent on the government to "protect the private information of Canadians," including "the sensitive personal, business, economic and national security information on government systems."

Part of that responsibility is on the shoulders of CSEC—Canada's signals intelligence agency—to secure Canadian government and private cyber infrastructure from malicious attacks, especially from foreign hostiles.

"Cyber threat actors continually probe Government of Canada networks looking for any kind of vulnerability in order to gain access to government networks and information," said CSEC spokesperson Ryan Foreman when I asked the agency if it was concerned about the rise of the Internet of Things. 

Foreman explained that CSEC provides the feds with "guidance" protecting networks and systems, which includes reinforcing "wireless networks, mobile platforms and other devices connected to Government of Canada networks."  

It's well established that the emergence of objects with cyber capabilities provides new physical threats if hacked and controlled. Indeed, Dick Cheney feared his wifi-enabled pacemaker might be the target of terrorist hackers looking to assassinate the maligned former vice president.

Cyber threat actors continually probe Government of Canada networks looking for any kind of vulnerability

But intelligence agency fears surrounding the Internet of Things might be a smokescreen for what one expert said they also see it as: a new offensive platform to launch their own attacks.

"In one way, I'm sure intelligence agencies are happy, because it means more attacks surfaces for them to gain access to systems," said computer security expert Robert Masse, the Canadian director for cybersecurity firm Mandiant.

According to Masse, while Canadian spies must worry about the security exploits hackers could target in simple wifi-enabled equipment, they've likely found ways to mitigate most of the major issues and are "well secured." Where the true opportunity lies within the Internet of Things is in developing a brand new offensive field to exploit for themselves.

"Say you're a manufacturer of smart TV sets... if you're an intelligence agency you want to get as much information as you can on the firmware those TVs are using, because you never know if one of those TVs are in an embassy or someone's house and they can try and get in through the TV," said Masse.

"Intelligence agencies are always trying to expand their tool kit, so they have the most attack surfaces as possible," said Masse, adding that at the same time it also means enemies have a bigger attack surface to target Canadian assets. 

That being said, the Internet of Things might further imperil the safety of Canadian IP, considering the access to major RND Chinese hackers enjoyed before being caught by CSEC in the summer. There's still no word how Chinese agents were able to gain network entry to the National Research Council databases. Whether or not it was a classic spear phishing attack or an exploited government device remains unclear.

In other words, while it might present a new offensive playground for Canadian spooks to exploit, the Internet of Things might just be one more thing to worry about in a weak Canadian cyber infrastructure.