The internet of things will turn our machines against us
The internet of things will turn our machines against us
THE WIRED WORLD IN 2016 15 JANUARY 16 by MARC GOODMAN
When most people think of cybercrime, they think of hackers raiding bank accounts, stealing identities and pilfering credit-card numbers. Ah, the good old days. We’ll come to miss them, given what lies ahead for us all.
There is a fundamental paradigm shift afoot in the world of digital crime, and it will make us pine for the simplicity of credit-card theft. Throughout the history of hacking, most of these threats have been constrained to the two-dimensional world of computer screens. The danger was only to our data. But, as the fundamental nature of the computer shifts, so too does the threat landscape.
To most, a computer is a desktop machine, laptop or server. More recently, we have come to recognise that our mobile phones, tablets and gaming consoles are also computers, as are any objects with the word “smart” — televisions and watches. As the investor Marc Andreessen famously noted in 2011, “software is eating the world.” In other words, the physical objects in our world are slowly transforming into information technologies, a phenomenon referred to as the internet of things (IoT).
The possibilities of the IoT are significant — your Nest thermostat will save you money on your energy bill, your Fitbit will carefully monitor your activity and your car will drive itself (and you) to the office. The IoT is expected to be worth $11 trillion (£7.1tn) to the global economy by 2025, as factories modernise, city infrastructures go online, and the world of logistics is completely transformed. Intel estimates 200 billion new objects joining our global information grid by 2020.
But let’s remember all of these devices are also computers and, to date, no computer has been built that could not be hacked. In July 2015, hackers remotely commandeered a Jeep Cherokee as it drove down a highway at 110kph and killed its engine mid-stream, bringing the vehicle to a halt. Modern automobiles are no longer purely mechanical devices: each has hundreds of computer chips in them, controlling everything from airbags to windscreen wipers. Today’s cars are nothing more than computers we ride in.
Computers that we fly in are also subject to hacking. Recently, the FBI detained a computer security researcher who claimed to have accessed data from a United Airlines flight’s engines, mid-flight, while seated on an aircraft as it flew from Chicago to Denver. The breach reportedly occurred when the hacker plugged his own laptop into an available port underneath his seat, bypassing the in-flight entertainment system software to access the plane’s flight management system.
The possibilities for disaster are manifest. In this brave new world, when cybercrime goes 3D, identities aren’t stolen — lives are lost.
Though more and more of the inanimate objects in our lives are becoming “smart”, there is no guarantee they will remain loyal. Home networks can be subverted via Nest thermostats, not only allowing hackers to remotely raise your heating while you’re on holiday, but also to know that you are out in the first place by seeing the device has entered “away mode”, a perfect time for burglars to visit.
In retail, point-of-sale terminals are vulnerable: in 2013, 100 million US customer accounts were breached when hackers subverted a third-party contractor’s data systems to gain access to the tills. With billions and billions of new devices coming online, it is near impossible to map the network complexities of this world — a building’s air conditioning unit may well provide a point of entry to a store’s customer data.
Despite this, the promise of the IoT drives us to connect an increasing number of devices to the internet. And as we do, more and more objects are being hacked. Smart light bulbs with poor encryption can leak a router’s administrative password. Baby cameras and nanny cams have been subverted by paedophiles and others to spy on children.
Networked printers can not only leak documents for purposes of industrial espionage, but can have their firmware remotely attacked, causing fusers to overheat and catch fire, allowing hackers with a touch of pyromania to start fires remotely inside offices or homes. And whereas smart refrigerators that re-order eggs and milk when you are running low sound great in theory, a persistently connected fridge can also be attacked and become enslaved in a botnet, using its processing power and connectivity to send out millions of spam messages for Viagra while you sleep in the next room.
Not only are we riding and flying in computers, we are increasingly placing them in our bodies as well. Pacemakers, diabetic pumps, implantable cardiac defibrillators and cochlear implants too are connecting to the internet — and hackers are not far behind, as demonstrated frequently at conferences such as BlackHat and DEF CON.
Our wearable fitness devices can be compromised as can those implanted in our bodies. As man and machine merge, we are increasingly becoming cyborgs. For the first time in history, the human body itself has become subject to cyber attacks.
According to a study by Hewlett-Packard, a full 70 percent of IoT devices are vulnerable to attack, with each containing an average of 25 separate vulnerabilities per product. In July 2015, it was revealed that a single software bug in the Android operating system made nearly one billion devices subject to hacking merely by sending them an infected SMS message.
The security vulnerability, Stagefright, provides attackers access to all personal information on the phone, tracking of its user and remote control of the device’s microphone and video camera, as well as any photos or financial transactions processed by the device.
The fact that a billion of anything could be hacked with a text message should give us some perspective on just what becomes possible when billions of new IoT computers are connected to the global information grid. What if a similar flaw had affected a million cars, or pacemakers, or power plants?
In 2016, fundamental IoT device insecurity means that there will be an ever-expanding “threat surface-area” for hackers to exploit. Nowhere are these effects more worrisome than when it comes to national critical infrastructure — bridges, tunnels, power plants, water-treatment facilities, hospitals, emergency services, financial markets and transport nowadays are all run by computers.
The threat isn’t just from state actors, such as the infamous Stuxnet worm that crippled the Iranian nuclear enrichment facility in Natanz; today the tools for attack are becoming commoditised. The growing interconnections between traditional information systems and the IoT mean cybercriminals can attack buildings, railway systems and chemical storage facilities.
In Germany, hackers recently used a phishing email scam to infect the business information systems of a large national steel mill. Once inside the company’s IT infrastructure, hackers wound their way into the firm’s operational technology at the plant, causing an enormous blast furnace to overheat and explode.
When cybercrime goes 3D, bits and bytes can be manipulated to move atoms. In effect, our machines can be turned against us. Though we’ve wired the world, we’ve failed to secure it.
Of course, things needn’t be this way. IoT security has been an afterthought — to say nothing of the draconian privacy implications of having all the things around us constantly reporting on our every movement, word and action. Individuals must take back control of their devices and demand more transparency from manufacturers. The time to think about our technological security is not after we connect 200 billion insecure new computers of all shapes and sizes to the internet, but before.
Security, safety and privacy must be engineered during the earliest phases of an object’s development cycle, including its firmware, hardware and software. The cost of not doing so is simply too high for society. Ignore these important steps and the internet of things may prove to be nothing more than the internet of things to be hacked.