There will be an estimated 11 billion devices connected to the internet of things (IoT) by the end of 2018, each one a potential point of attack for malicious actors seeking to harm individuals or even entire nations. Cybersecurity experts are calling on governments to step in and strengthen laws governing internet connected devices, even if that means slowing the pace of innovation.
The growth in internet connected devices proceeds at a breathtaking pace. Gartner predicts that by 2020 there will be more than 20 billion installed IoT units. While the bulk of these will be consumer devices such as cars, smart TVs, thermostats and lightbulbs, industry and government are also rapidly adopting internet connected sensors and robots to improve the efficiency of processes from manufacturing to asset, warehouse and supply chain management. The physical world and its various digital representations are becoming ever more closely intertwined, so that changes in one have immediate knock on effects in the other. If this trend continues unchecked, argues cybersecurity expert Bruce Schneier, then our property, bodies and critical infrastructure are all in danger.
The problem with patches
In his new book, Click Here to Kill Everybody, the respected cryptographer, computer security writer and CTO of IBM Resilient contends that the internet and internet connected devices are now so central to economic life, cyber attacks have the ability to bring entire societies grinding to a halt, endangering lives as well as bottom lines. The current approach of IoT device manufacturers to security threats – issuing patches and fixes to address vulnerabilities as they become evident – is insufficient to tackle the growing threat, says Schneier.
“Patching is a way of regaining security. We produce systems that aren’t very good, then find vulnerabilities and patch them. That works great with your phone or computer, because the cost of insecurity is relatively low. But can we do this with a car? Is it okay to suddenly say a car is insecure, a hacker can crash it, but don’t worry because there will be a patch out next week? Can we do that with an embedded heart pacemaker? Because computers now affect the world in a direct, physical manner, we can’t afford to wait for fixes.”
Schneier isn’t the only one ringing alarm bells. Market research giant Forrester predicted late last year that IoT would move from experimentation to business scale in 2018, but also that security would become a more pressing issue:
“Security vulnerabilities are a significant worry for firms deploying IoT solutions – in fact, it’s the top concern of organizations looking at deploying IoT solutions. However, most firms don’t consistently mitigate IoT-specific security threats and business pressures overwhelm technology security concerns. In 2018, we’ll see more IoT-related attacks like the Mirai botnet that caused havoc – except they’ll grow bigger in scale and impact.”
Journalist and blogger Cory Doctorow reports on such Internet of Things-related security failures at Boing Boing. The list of threats fall into several broad categories.
A bot is a program which runs automated tasks over the internet. By exploiting vulnerabilities in a particular IoT device, hackers can install bots on a huge number of those devices, giving the hacker control over a small army of internet-connected computers, or botnet. Botnets are commonly used to perform Distributed Denial of Service (DDoS) attacks – where the botnet bombards a server with an unmanageable number of requests to render it unusable. Other uses include sending spam emails, perpetrating click fraud (creating false internet traffic to e.g. fraudulently boost ad revenue), mining for Bitcoin or searching for other devices to infect.
The Mirai botnet, discovered in 2016, has enslaved a huge number of IoT devices to perform DDoS attacks on high-profile sites like Netflix, GitHub, Reddit, Twitter and Airbnb. It used a very simple technique to grow what was essentially a distributed supercomputer: it scanned big blocks of the internet for open Telnet ports and attempted to log in using common default username and password combinations. Because people very often never change default login details on IoT devices, the attackers were able to take control of millions of devices without their owners knowledge.
Once attackers gain the ability to install software on an IoT device, they’re pretty much able to interfere with the normal operation of that device, and its associated apps, in any way they can think of. Webcams and IP cameras can be hijacked by criminals to obtain blackmail material, conduct reconnaissance for burglaries or espionage activity, perform identity theft or for simple voyeurism. In the most notable case, between 2010 and 2012, all cameras in the popular TRENDnet range contained a software flaw which allowed remote viewing and recording by anyone who knew the camera’s IP address.
The WannaCry cryptoworm made headlines last year when it encrypted the data on Windows computers at a number of large organisations around the world and demanded ransom payments in Bitcoin. Patients at 16 NHS hospitals had to be turned away from planned procedures due to the unavailability of critical systems. IoT devices generally don’t store data vital to their owners – that’s usually stored in the cloud – but attackers could still render devices unusable at critical times. This would be especially effective on devices that are placed in inaccessible locations, where it would be difficult to manually reset them and install a patch. Devices crucial to critical infrastructure like power grids, where even temporary outages could do serious economic damage, are likely targets.
IoT devices may not store your customer data, but they might provide attackers an easy entry point to your network. Last year, cybercriminals were able to steal valuable customer data from a casino, gaining access to the network by hacking the smart thermostat in a lobby fish tank. Smart devices – including TVs, HVAC systems, refrigeration systems, cameras and even smart lightbulbs – can greatly increase the attack surface of an organisation’s network, providing attackers a foothold from which they can take control of other devices on the network and exfiltrate sensitive data.
Remote vehicle control
Like most manufacturers, Chrysler designed their smart cars in such a way that there was an ‘air gap’ between the hackable WiFi multimedia system and the vehicle’s internal network which controls the engine, brakes, transmission, sensors etc. Nevertheless, the company had to recall 1.4m Jeeps in 2015 when security researchers managed to remotely cut the transmission of a vehicle driving on a highway in traffic. In addition to causing motorway mayhem, hacking a vehicle’s internal network could also be done to track the movements of the owner via GPS, carry out industrial espionage on a company’s fleet or, in a terrifying variant of a ransomware attack, even imprison the user in an immobile vehicle until a ransom is paid.
Most cybercrime, like email spam and phishing, is high volume and opportunistic. A more insidious version deliberately targets individuals for the purposes of stalking, extortion, or even assassination. A plotline in the TV series Homeland involved assassination of a political figure by hacking into their pacemaker – a scenario that concerned former US Vice President Dick Cheney that he had the wireless capabilities of his own medical implant disabled. Researchers have also shown that IoT medical devices in hospitals can be hacked to send erroneous data back to central systems, opening up the possibility of assassination by unnecessary medical intervention. There are also a growing number of stories of stalking, domestic abuse and home intrusion that have been enabled by hacking people’s personal IoT devices.
Advanced persistent threats
Criminals aren’t the only parties interested in taking control of IoT devices for nefarious ends. Nation states and their proxies are also working feverishly to exploit vulnerabilities in smart devices to gain an edge in cyberwarfare. In a well-known, fairly recent example, the Stuxnet worm, a joint US and Israeli project, is believed to have infected centrifuges used for uranium enrichment in Iran, causing serious damage to the nation’s nuclear program.
Amid calls for an international treaty on the use of cyberweapons, so-called Advanced Persistent Threats (APTs) are a major concern for planners due to their potential for causing huge damage to infrastructure critical to the economy or the security of nation states. The possibility of IoT-enabled terrorism is also very real: Verizon reported in 2016 that hackers had managed to take control of programmable logic controllers in a water utility, allowing them to change the chemical mix in water bound for homes.
The IoT security challenge
Technical debt accrues interest, and will eventually become toxic: it’s best to service it sooner rather than later
While the Internet of Things has tremendous potential to improve many aspects of human life, from energy efficiency gains enabled by smart sensors to personalised medicine enabled by smart implants to reductions in road deaths due to driverless cars, innovation is currently running ahead of vendors’ ability to maintain security. Some experts, such as Charl van der Walt of SecureData, have referred to this growing shortfall as a cyber security debt crisis (Gartner forecast that worldwide enterprise security spending would reach $96 billion in 2018, driven largely by cyberattacks and data breaches). Schneier recognises that this is not an issue that the market mechanism is suited to solving, as companies race to take advantage of digital opportunities at the cost of security:
“As long as you, as a company, won’t gain additional market share because of being more secure, you’re not going to spend much time on the issue.”
He calls on government to step in and beef up regulations through “flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company’s earnings”. But he also acknowledges that governments have interests on both sides of the equation, since they like to exploit vulnerabilities to spy and gather evidence for criminal prosecutions.
California has recently introduced the US’s first legislation for IoT device manufacturers, though critics claim the laws are toothless. Meanwhile, the EU’s NIS directive is geared more towards protecting critical infrastructure from attack than protecting individuals and businesses from insecure IoT devices.
Whether manufacturing IoT devices or merely using them, van der Walt urges enterprises to assess their own cyber security debt using techniques borrowed from the financial system. He likens the growing size and complexity of enterprise technical debt to the shadow banking system prior to the global financial crisis of 2007-08, and reminds us that, since technical debt accrues interest, and will eventually become toxic, it’s best to service it sooner rather than later.