As IoT adoption continues to proliferate, manufactures and adopters are increasingly aware of cybersecurity risks to IoT. Yet, even among the IoT security professionals, one significant potential remote attack vector is often overlooked: intentional electromagnetic interference (IEMI).
Electromagnetic interference (EMI) surrounds us – natural causes, such as solar flares and lightning; and man-made sources such as radio and TV broadcasting, radars, microwaves and many others all emit electromagnetic waves that could disrupt operation of electrical and electronic devices. That is, if devices wouldn’t comply with numerous electromagnetic compatibility (EMC) standards which ensure correct operation in common electromagnetic environment and resilience to unintentional EMI. Unfortunately, adversaries are increasingly turning to intentional electromagnetic interference (IEMI) – electromagnetic (EM) pulses generated by adversaries at powers above those protected by EMC and capable of disrupting or even damaging digital devices.
Recognizing the threat
The decreasing power requirements for IoT devices provides the perfect target for analog interference with the EM fields that surround the circuits and wiring that connect them. IoT devices operate at decreasingly low internal voltages and communicate through low power wireless networks. These can easily be disrupted by IEMI attacks that use tools that are easily obtainable by any garage enthusiast. Short, sharp pulses of high voltage, low energy interference capable of disrupting systems can be generated by a device the size of a suitcase.
Many people associate IEMI threats only with High Altitude Electromagnetic Pulse (HEMP) associated with nuclear explosions due to frequent depictions in popular media. Although damage from such attacks would be devastating – inflicting permanent damage on all electronics over a large area –resources needed for such a powerful punch are beyond the capabilities of even rogue nations, thus limiting the field of potential attackers.
Lesser, but still damaging attacks, can be accomplished by anyone willing to study information readily available on the internet, using off-the-shelf devices like microwaves, electro-magnetic jammers or ESD guns used to test electronic devices for electro-static discharge resistance. More complex devices with greater ranges and power can be assembled from specialty devices into even more powerful tools with greater ranges.
IEMI attacks can be accomplished through either a hard-wired attack or a broadcast attack. Hard-wired attacks produce a more powerful jolt, but broadcast attacks let attackers disrupt a facility from outside rather than requiring them to physically breach it. A poorly protected system could be disrupted by a device sitting in a truck parked outside it or in a briefcase in a public part of the facility.
The nature of IEMI attacks
IEMI attacks cause sharp, high-voltage pulses that temporarily disable the target’s digital systems. They are almost undetectable. Unlike a hacker, whose attempts to breach the system can be detected as they attempt to breach the system, the first sign of an IEMI attack is when you see the system fail.
IEMI attacks leave no physical trace in the equipment they disrupt. Even error logs leave little evidence of the IEMI nature of an attack. They tend to assign normal operational error codes to the failure that mask the attack’s true nature.
Thus, it is impossible to determine how common IEMI attacks are because of their lack of a physical or digital footprint. Add to that the fact that many suspected attacks are hushed up to avoid damaging the organization’s reputation and assessing the full scope of the threat becomes even more difficult.
What IEMI attacks can accomplish
The most widely suspected IEMI attack to date was the May 2012 North Korean jamming that affected two South Korean airports. More than 300 airplanes flying into or out of those airports were affected, along with more than 100 ships and fishing vessels that were in the sea near those airports and an untold number of car navigation systems on nearby roadways.
The disruptions were sporadic and likely were part of a series of disruptions over the previous few years. No direct damage is known to have come from these attacks, but experts believe that these attacks were merely tests of the effectiveness of North Korean jamming systems, precursors to future, more damaging attacks.
Researchers irradiating an automobile with a van-mounted IEMI source demonstrated it would be possible to stop automobile operations at the distance of 500 meters and cause permanent damage at 15 meters. Swedish Defence researcher estimates that a suitcase-based IEMI source could cause upset or damage to cars, PCs, etc. on up to 50 meters distance and even a permanent damage in close vicinity.
System disruption is not the only potential problem with IEMI attacks, either. Researchers have found it possible to use EM fields to intercept and decrypt sensitive information from systems, as well. They can reconstruct information that passes through monitors, keyboards, printers and cryptographic devices. And the methods used to reconstruct such sensitive information are now well within the capabilities of any determined hacker.
Other research has shown that VHF waves could be used by attackers to inject commands into voice interface-capable devices. This includes a growing number of items in IoT as voice interface grows increasingly popular.
Protecting against IEMI
One clear conclusion is that standard EMI testing is not sufficient to guard against this threat. Standard EMI testing checks only components’ ability to withstand normal interference. And testing of components individually cannot ensure security of the complete system. Test environments for protecting against IEMI are being developed, but they still have a long way to go.
In the meantime, there are steps that can be taken to reduce system vulnerabilities to IEMI:
- Proper grounding procedures are essential. Make sure, however, that the technicians who create your grounding system are well-versed in grounding procedures or you may inadvertently increase your vulnerability.
- If possible, ensure your facility has a large, open space around it to make it hard for an attacker to get a disruptive device close enough to your system to be effective.
- Include metal rebar in outside walls, metal mesh in windows and specialized filtering on cables at their entry points to minimize EMI penetration.
- If possible, replace copper cables with EMI-proof fiber-optic cables.
- Install EMI warning systems appropriate to your level of risk.
IEMI threats are often overlooked in security assessments. Attackers require little technical expertise and can use easily obtained EMI-generating devices. Protecting systems against such attacks should always be part of a comprehensive security plan. To find out more about the IEMI threat and what you can do about it, see my more in-depth article, “The growing threat of intentional electromagnetic interference IEMI attacks.”
Originally published on CSOonline on April 30, 2018.
For over 30 years, Marin Ivezic has been protecting people, critical infrastructure, enterprises, and the environment against cyber-caused physical damage. He brings together cybersecurity, cyber-physical systems security, operational resilience, and safety approaches to comprehensively address such cyber-kinetic risk.
Marin leads Industrial and IoT Security and 5G Security at PwC. Previously he held multiple interim CISO and technology leadership roles in Global 2000 companies. He advised over a dozen countries on national-level cybersecurity strategies.