Why puny IoT security could kill sooner rather than later
Poorly secured Internet of Things(IoT) devices are already powering robust DDoS-for-hire services, but the real threat is yet to come.
Puny IoT security will kill and some experts predict it will happen this year. Internet-connected devices are now incorporated into every aspect of modern life, but as security continues to lag behind, this technology could soon become deadly.
Since the 1970s, the misuse of automated machines has resulted in tragedy. But what happens when potentially murderous criminals get control of life-threatening devices, like self-driving cars and pacemakers?
The out of control Internet of Things
As businesses and consumers are accelerating their adoption of IoT technology, the number of internet-connected devices is predicted to hit 15 billion by 2021.
The benefits of IoT devices are massive and we’re only scratching the surface of their potential. From industrial manufacturing, to the development of smart cities and motorways, every industry could benefit from this technology.
But a surge in connected devices is creating massive problems for cyber security; there are billions of potentially hackable devices using outdated security technology. Amplified by a carefree approach to IoT security and lack of manufacturer regulations, these devices are extremely vulnerable to exploitation.
Cyber criminals are well aware of these security weaknesses. In the past three years, American telecommunications firm AT&T has reported a 3,198% increase in attackers scanning IoT devices for vulnerabilities.
Lack of security in IoT devices directly caused the largest DDoS attack in history as thousands of devices infected with the Mirai malware bombarded Dyn, a company that controls domain name system infrastructure. The result knocked much of the internet offline, including Reddit, Twitter and Netflix.
The websites were brought back online but Mirai continues to mutate, becoming increasingly contagious. In February, the malware was modified to infect Windows systems.
IoT security knowledge is lacking in manufacturers and connected devices with poor cyber defences are regularly hacked. Whilst damaging to businesses, these attacks haven’t resulted in the loss of life - but it won’t be long.
A direct threat to healthcare
The Internet of Things is revolutionising healthcare, an industry that relentlessly demands better solutions for less cash and where failure can directly result in loss of life. The challenge is to build effective devices, without compromising sensitive health records or human life.
Internet connected healthcare is a security nightmare, but it hasn’t yet resulted in death. However, the industry isn’t off to a good start. In 2016 cyber criminals hacked three UK-based hospitals, resulting in the cancellation of all appointments for two days.
Because of the high stakes and potential lack of cyber security awareness, hospitals are the perfect target for ransomware, a malware tactic that locks down company data and files until a fee is paid to the criminals.
Incidents of ransomware is rising and potentially deadly cases of ransomware attacks on hospital networks saw hackers hold sensitive patient data hostage. These hacks directly endangered the lives of patients relying on a functioning hospital network.
With the rise of internet-connected healthcare devices, what happens when hackers gain access to these life-sustaining devices? The outlook is grim: in 2011 one hacker demonstrated his ability to remotely access and shut down insulin pumps within a 300m range.
In 2016 researchers identified security flaws in cardiac defibrillators, meaning that right now healthcare devices could potentially be accessed by hackers.
Instead of locking down computer networks, the threat from connected healthcare devices is far more tangible: instead of access to sensitive data, it might be the life-sustaining pacemaker of a patient that hospitals are bargaining for. If these ransoms are paid, a criminal industry will be financed. However, the other option is unthinkable.
Cyber criminals can already hold hospitals to ransom and they’ll soon be bargaining with the lives of vulnerable patients. When this happens, poor IoT security will be directly responsible.
Smart cars: an opportunity for hackers
Puny IoT security will kill soon and healthcare isn’t the only industry where a lack of IoT security could result in deadly consequences. Car manufacturers are racing to build the first mainstream consumer-friendly smart-car, but as with healthcare, security is being left by the roadside.
Integrated information systems mean a better experience for the driver and self-driving is widely lauded as the next major automotive revolution. But by integrating technology into these vehicles, they become as hackable as your smartphone.
Car-hacking is real and it’s shown to be effective. One zero-day exploit gave control of self-driving Jeep Cherokees over to hackers. Luckily, this test was safe but it did result in Chrysler recalling 1.4million vehicles.
A precedent has been set and with the development of more connected-vehicles, hackers won’t be far behind. In 2015, there were 471,000 vehicles using systems vulnerable to hackers on the roads.
Infrastructure at risk
In 2016, Ken Munro, a cyber security researcher at Pen Test Partners, identified a major flaw in internet-connected thermostats. Whilst this may sound relatively harmless, the consequences could be severe.
With access to these vulnerable connected-thermostats, a hacker could manipulate thousands at once, causing a spike in power levels.
“That would be an enormous drain on the power grid, and it doesn’t take much to push a power grid into an overload situation, causing shutdowns, ” Ken Munro stated at IPExpo at Excel in London.
If an attacker can take down enough power stations, it will result in a massive power outage that could take days to recover from. Loss of electricity could be deadly, especially for society’s most vulnerable.
Cyber attacks against critical services could be devastating and this technique is being used effectively in Ukraine. In 2016, Kiev revealed a cyber attack on the city’s internet-connected power grid, leaving the northern part of the capital without electricity.
But there is some good news, The Cloud Security Alliance announced 13 steps to developing secure IoT products. However, unless IoT security improves in the short-term, we can expect to see an increase in hacks that put human lives at risk.
Interested in hearing industry leaders discuss subjects like this and sharing their IoT use-cases? Attend the IoT Tech Expo World Series events with upcoming shows in Silicon Valley, London and Amsterdam to learn more.