The idea that a computer virus could damage hardware is something that has plagued the cyber community. Some of the more sensational stories out there suggest that it’s possible to send a bomb via email. I stumbled upon this article, first published in 2000, when researching a piece I wrote about email bombing — a term used to describe the action of flooding an inbox with spam. The story was dubiously sourced and, looking back, seems like pure fiction for that time period. I’m not an explosives expert, but the idea of an actual email bomb seems far-fetched, as there would need to be something to detonate.
I don’t think an actual bomb is something MSPs have to worry about defending against, but the reasons today may have less to do with technological feasibility and more about incentives. There’s also the added factor that more and more people are using mobile devices and exploding a phone in a pocket seems like something out of a spy novel. Still, the whole idea of causing hardware damage via software is interesting, and, as it turns out, not completely without merit. This idea still sparks discussion in reputable forums. Part of the problem is that the line between what can be considered “physical damage” and software damage has become blurred.
Malware interference in Iran’s nuclear program
The most famous incident of a virtual attack causing physical damage occurred in 2014, when the increasingly sophisticated Iranian nuclear program raised international concern. While the individual who initiated the attack has never been clear, the Stuxnet worm made its way into the Iranian nuclear complex at Natanz and caused centrifuges — which spin uranium into weapons-grade material — to malfunction. The excessive spinning caused such strain on the physical hardware that over 1000 computers imploded. The damage was so extensive that Iranians took the plant offline and their program has not recovered.
However, that’s a nuclear plant. What about someone in the corporate office of an accounting firm or a hospital executive? Could they receive an email that, if opened, would unleash physical destruction on their computer? For thoughts on this topic, I reached out to Roger Nebel, a Homeland Security & Emergency Management instructor at the University of Alaska-Fairbanks.
According to Nebel, an “email bomb” or physical attack on a computer wouldn’t be very practical. Nebel did mention Stuxnet as an example where a wide-ranging virus causing physical destruction happened, but the goal in that example was a huge prize: stopping Iran’s nuclear program.
“So, yes, malware can cause physical damage,” Nebel says. However, he adds that attacking a single computer with malware to destroy hardware would not be very lucrative for hackers.
“Most hackers are criminals; they are after quick payoffs, not the destruction of hardware. Usually it’s something that can be easily monetized like Bitcoin or credit card numbers.” For hackers, there’s not a lot to gain by expending many resources to try to destroy one person’s computer or even an office network.
Will nation-states use malware as a physical weapon?
Even deeper-pocketed nation-states that have the technical expertise to destroy computers, don’t have much incentive.
“Nation-states are usually after espionage data and usually are not funded to break hardware, as in the case of Stuxnet which had a purpose in mind,” Nebel said.
Although, seeing the success of the Stuxnet on Iran in 2014, I personally don’t think it’s a stretch to imagine an attack on a government network that would lead to physical damage. According to Nebel, it is technically possible to cause physical damage from malware if one has access to the right resources.
“Yes, given enough money I can break hardware. Maybe not set it on fire, but I could cause it to overheat so the CPU needs to be replaced. However, there are only few nation states, and there aren’t any criminal groups who are interested in funding that,” Nebel explains.
Given enough money, malware can break hardware. Maybe not set it on fire, but it could cause it to overheat so the CPU needs to be replaced.
Nebel says that MSPs should have antivirus protection, intrusion detection systems, and people who are trained in how to root out possible Stuxnet-type intrusions. Third party penetration tests, monitoring CPU usage, and monitoring temperature of systems, is vital. If there is a physical vulnerability — especially in older computers — it would be in found in computer fans.
A newer threat to physical devices is emerging with IoT devices.
“With more items gaining web connectivity as part of the Internet of Things (IoT) movement, the need to protect physical devices from hackers will only increase,” writes Lior Div, CEO, and founder of Cyberreason.
The fear is that hackers could overpower brakes on autonomous cars, causing them to crash and physically destroy the vehicle. This example illustrates how the once clear line between cyber and physical can easily be crossed. While I wouldn’t expect exploding computers anytime soon, MSPs should be alert to the increasingly blurred line between physical and technical boundaries. There could be situations in the not-too-distant future where there the two collide more frequently.
Photo: mikeledray / Shutterstock