Internet of things: is it a security nightmare?

8 Oct 2015

The internet of things (IoT) has been sold as a positive all over the world. Connect your house to your phone! Answer your door from the beach! Feed the dog while you commute! Yay, yay and yay. But surely something risky lurks beneath.

IoT Makers Week graphic

Among the many, consistent tag lines and audience-whooping statements on Top Gear, one snippet always stuck with me as I watched the show. ‘The more gadgets there are in the car, the more things can go wrong.’

I’m not sure why that memory, rather than cars exploding, rockets firing and celebrities guffawing, stood with me all this time but, as we look at nascent world of IoT, it’s certainly a thought that has grown in prominence.

To extrapolate the idea out a little, the more items that are connected over the internet, the more likely they can be compromised.

Internet of things: An evolving story

When you consider how much we rely on so many device-laden things – central heating, air conditioning, refrigeration, communication, wearables, transport, etc. – this can prove worrisome.

Last month, we reported on a research fellow at University College of Cork who discovered a way to hack into self-driving cars, confusing them into thinking there are pedestrians, cars and even walls in their way.

Jonathan Petit’s project is as basic as a laser pointer partnered with an off-the-shelf product like Raspberry Pi.

By taking ‘echoes’ of a fake car, Petit claims he can put them in any location he wants, tricking cars into thinking there is something straight ahead, which provokes evasive action, or even overwhelming the vehicle, rendering it stationary.

Imagine that. A laser pointer – that toy we all had as kids, loving the irritation we could spread from so far away – used to render driverless cars useless.

Render them bricks, perhaps.

Internet of destructive weapons

“Making devices fail is an incredibly powerful and destructive weapon,” Kevin Bocek, VP of security strategy and threat intelligence at Venafi, tells me, before ransomware, something that’s been nagging me for a while now, crops up in conversation.

For those of you unaware, ransomware is an incredibly annoying and effective way for cybercriminals to make money. They can essentially lock your computer and give you a certain amount of time to pay up or never get your files back.

Radiolabs’ recent documentary Darkode explains the true irritability of this in a fine way.

A traffic jam of ransoms

“What happens when an electric car no longer trusts and obeys they manufacturer?” asks Bocek. “A bad guy could give a 24-hour ultimatum: either pay up or all cars stay bricks (or, even worse, start to become weapons that hurt people).”

As Petit proved, as did a recent GM nightmare, too, this isn’t an imaginary concern. This is real life. And, worse still, it’s becoming easier to hack.

“In the past, each enterprise network that might be targeted was somewhat different,” says Bocek. “Now hackers have millions of devices that are all deployed at the same time, and can easily be purchased and researched patiently.”

The why, not the how

Motives, surprisingly, pose the biggest concern. Will hackers work for profit, directly from the victim? Or will they work for disruption on a small or even large scale?

Basically anything with an IP address, or anything that is controlled by something with an IP address (like critical infrastructure), is going to be vulnerable to attack and exploitation.

So argues Justin Harvey, CSO of Fidelis Cybersecurity, who notes that, as enterprises are continually attacked, successfully via numerous avenues, “just think how bad the average consumer user is”.

Harvey, and many cybersecurity companies across the world, are starting to track remote access trojan networks that have vast node counts.

This basically means hackers that compromise these in-home endpoints can get complete control, including the capability to spy on the user, take control of the machine and execute commands.

Internet of things IoT home

Kinetically destructive

“It is not outside the realm of possibility,” says Harvey, “that there will be an exploit for an IoT device that could be considered ‘kinetically destructive’.”

Those two words don’t often rest together well on a page. Kinetically destructive could mean anything from overheating to melting down a device. “Essentially forcing the device to go well beyond programmable norms.”

Suddenly, your interconnected home doesn’t sound so appealing, does it? And it’s increasingly unlikely that this push towards connectivity and IoT will end well – let’s face it, the term ‘privacy’ has become an ever-changing thing, as has ‘off grid’.

“There will be no such thing as ‘off grid’, says Bocek.

We have only just begun

“Everything that you plug into a socket – from the toaster, iron and fridge, and even out to your bicycle – will communicate across the internet and share, consume, and process data in ways that we’re only getting the first glimpses of.

“Today’s kids will never know a reality without the internet, so it will only seem natural for their generation to have everything network connected and talking.”

What’s important now is that manufacturers invest in misbehaviour detection, something Petit noted in his project that hacked into automated vehicles.

“But I don’t think carmakers have done it yet,” he said at the time. “This might be a good wake-up call for them.”

Them and all the other manufacturers of smart lights, heaters, refrigerators, doors, security systems, toasters…

Main image and body image via Shutterstock

IoT Makers Week explores the internet of things revolution and the makers driving it with reports on from 5 to 9 October 2015. Get updates by subscribing to our news alerts or following @siliconrepublic and the hashtag #IoTMakersWeek on Twitter.

Gordon Hunt was a journalist with Silicon Republic