The hyper-connected world of the “Internet of Things,” may be convenient, efficient and cool, but it has a scary underside: An attack on connected devices is often an attack on the victim’s physical space and being, and unlike regular hacking attacks could result in injury or death.
The Internet of Things (IoT) refers to the networked embedded devices and common household or everyday items, most of which have not traditionally been connected to the Internet. Examples include smart electric meters, driverless cars, refrigerators that send alerts when the milk runs out, bathroom scales that monitor weight gain and thermostats that track the homeowner’s commute to determine when the heat should go on.
ABI Research, a New York-based market-research firm, estimates there are more than 10 billion wirelessly connected devices in use, and that there will be more than 30 billion by 2020.
All this home, personal and vehicular automation sounds exciting, science-fiction-like and efficient. It can also be terrifying, since the consequences of something going wrong with connected devices could be deadly. Hackers targeting connected devices won’t just have access to personal information; they might also be able to take control of the physical world.
“The threats now involve safety, water, shelter and warmth,” said Trey Ford, global security strategist at Boston-based security firm Rapid7. “As the user, you are no longer in charge. The computer is making the decisions.”
Hacked cars, alarm systems and pacemakers
The physical aspect of IoT vulnerabilities became evident at last year’s DEF CON hacker conference, where security researchers Charlie Miller and Chris Valasek showed how they hacked into the onboard computers on a Toyota Prius and a Ford Escape to take over the vehicles’ steering and braking systems. They were able to jerk the vehicles’ steering wheels, slam on the brakes and even disable the brakes altogether, regardless of what the driver tried to do.
Over the past two decades, computer users have gotten better about protecting themselves against attacks. They’ve learned to use strong passwords, run antivirus software and update their operating systems. Computer-based attacks have been confined to the digital world, and the worst consequences involve lost data or lost money.
But in the Internet of Things, attacks can have a physical impact, because the targeted systems control the physical realm.
In a manufacturing plant, for instance, switches could be turned on and off until equipment broke down or caught fire. A burglar could hack into a home alarm system’s Web interface to use the security cameras to monitor the property, then turn off the alarm and unlock doors once the residents left the house. Or someone could break into your home, because Internet-connected garage doors can’t tell when a request is coming from the actual homeowner or someone planning a home invasion.
Even without breaking into the premises, an attacker could turn off the gas, lock doors, flip the lights, and just “terrorize you in your own home,” Ford said.
These scenarios are not just idle speculation. Earlier this year, IOActive researcher Mike Davis found multiple vulnerabilities in Belkin WeMo Home Automation devices that could let attackers perform malicious firmware updates, remotely monitor devices and access the user’s home network.
At last year’s Black Hat security conference, two researchers from Trustwave Security Labs discussed vulnerabilities in a number of home-automation systems, such as door locks, alarm systems, garage doors, lights, surveillance cameras and other electronic appliances that could be used to carry out covert surveillance and gain entry to buildings.
The famed late hacker Barnaby Jack demonstrated how to hijack wireless insulin pumps to deliver potentially fatal doses from across a room, or hijack wireless pacemakers to stop hearts — a scenario borrowed by the TV series “Homeland” — or deliver electric shocks.
Security is not always a priority
Researchers have called on manufacturers to secure connected devices, but hardware engineers developing the devices often don’t have experience in physical security or cybersecurity. Companies may not prioritize security because it would slow development, making it more likely that a rival will launch a competing product first.
Even when notified of flaws, manufacturers may not respond accordingly. Trustwave found one company that claimed its products were as secure as any home-automation system on the market, and another that said potential attacks required too many extra steps and variables to be a threat.
“The problem with this process is that no one entity has any incentive, expertise or even ability to patch the software once it’s shipped,” noted Bruce Schneier, chief security officer of Co3 Systems and a well-known security expert, in a blog post earlier this year.
To complicate matters, most connected devices, which use “embedded” software built into their chips, can’t be easily patched. Imagine an automaker having to tell customers the cars they bought three years ago were no longer safe because the software was out of date.
Even if the hardware can be patched, there are problems. Software upgrades frequently create glitches when deployed across a wide range of users because of software conflicts or other issues with specific types of hardware, noted Andrew Rose, a principal analyst with Cambridge, Mass.-based Forrester Research, in a company blog post in May.
“When your endpoint is traveling at 70 mph on a crowded highway, that’s not the time to find out that the software upgrade has a flaw, or that it corrupted an essential feature,” Rose warned.
Changing the security model
“If we don’t have a fundamentally new security model, then I don’t know how we’re going to enjoy the Internet of Things,” Dan Kaufman, director of the Information Innovation Office at the U.S. Defense Advanced Research Projects Agency (DARPA), told attendees at the recent GigaOm Structure conference in San Francisco.
“Patch Tuesday for your car or your insulin pump doesn’t make a whole lot of sense,” Kaufman added, referring to Microsoft and Adobe’s monthly rounds of software updates.
Until manufacturers start building with security in mind, or security companies come up with tools that can be used to secure the Internet of Things, there are a few things users can do to protect themselves.
Ford recommends segmenting a network, even a home Wi-Fi network, to keep Internet of Things devices separate from computers, routers and smartphones, and taking advantage of existing network defenses, such as firewalls and intrusion detection and prevention systems.
Widespread attacks against the Internet of Things are not yet here, Ford noted, which means there is still time to think about what the threats will look like, to come up with strategies to secure devices and to get companies involved in protecting them.
“We need to be thinking about solutions,” Ford said