The Internet of Things Will Be Even More Vulnerable to Cyber Attacks

Uploaded on 2017-06-05 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Health & Welfare, TECHNOLOGY-Key Areas-Internet of Things, TECHNOLOGY--Developments

As more smart devices with weak or no security connect to the internet, the world will become more exposed to attacks like the ransomware that hit Britain’s NHS.

The recent global ransomware attack, which affected organizations around the world including Britain’s National Health Service, was the first real illustration for many people of the scale and physical consequences a cyber attack might present. Criminal hackers exploited a flaw in ‘retired’ Microsoft software, which is not routinely updated and patched for security, to infect computers with the WannaCry ransomware.

But what if devices were even more vulnerable, running with no built-in security and no opportunity to patch? This is the problem that that the so-called internet of things (IOT) presents. With an anticipated 22.5 billion devices due to be connected to the internet by 2021, the opportunity for holding these devices to ransom will present significant opportunities to criminals and will have serious consequences for providers and users of these devices.

Last year the massive Distributed Denial of Service (DDoS) attack that brought down the Dyn Domain Name System (DNS) service illustrated the vulnerability of certain platforms to attacks using the IoT.  During that attack the perpetrators managed to deny access to major platforms like Twitter, Netflix and Facebook for some hours. It was made possible through harnessing poorly protected household devices such as security CCTV and baby monitors which still had the factory password programmed or no built in security.

This attack was significant and cost Dyn clients but it didn’t have an impact on critical infrastructure such as hospitals and doctors’ surgeries in the way this current attack has, where denying access to patient records could delay essential treatment. But the IOT has had and could have further significant physical consequences, when even the most benign of objects can be weaponized.

This week an 11-year-old boy demonstrated the vulnerability of the IOT to weaponization by hacking into the devices of an audience attending a cyber security conference to operate his teddy bear.  Similarly earlier this year the German Federal Network Agency advised parents to destroy the Cayla doll because of its demonstrated vulnerability to being hacked. Smart thermostats have been demonstrated as hackable, as have cars, baby monitors and televisions.

Self-driving cars are already being tested on the streets and it is estimated that there will be 10 million self-driving cars on the roads by 2020. Self-driving cars are part of the so called Internet of Automotive Things (IoAT), a network of sensors and computer processes that will likely reduce accidents caused by human error and ultimately make the roads a safer place. They will also be securely designed and better protected with the capacity to patch and update security software but they will not be impervious to hacking – nothing is. Imagine if your car could be effectively hijacked through the software it operates with. Imagine if it could change your destination, your speed and direction, or if it simply locked you out of your own vehicle.

Indeed there are similar risks and vulnerabilities posed wherever the use of sensors and software are applied. As security expert Bruce Schneier puts it: 'We no longer have things with computers embedded in them. We have computers with things attached to them.' This includes increasingly household fixtures, implanted and wearable medical devices, smart cities where public services utilize technology with the aim of improving efficiency and quality, and critical national infrastructure, such as power grids and railway systems.  

While there is research being done into the security implications of the IOT, many devices are already on the market and in people’s homes. Even when obsolete and out of use, the sensors may still present vulnerabilities that can be exploited by those who wish to hack into networked systems.  Standards for security need to be enforced before a major hack that has more serious consequences for the consumer is perpetrated through the IOT. If that happens, public trust in this booming economy will likely be undermined.

One approach to driving up standards in cyber security is through the insurance industry. Firms such as QBE and AIG have been examining the role that they can have in protecting consumers and companies against cyber threats, contributing to the development of a required culture of cyber security that ceases to prioritize the affordability of products over security. This means the mainstreaming of cyber security in all aspects and throughout all strata of business, industry and services.

Governments could also play a more involved role in regulating industry and enforcing minimum security standards. Without a more robust approach to protecting the IOT the answers will likely instead play out in court with liability being determined after the fact and with damage already done.

Ultimately the most powerful driver of change may come through increased consumer awareness of the security threats and demands for improved security standards. Perhaps this recent attack will spur such awareness. Without more vigilance, the IOT could provide an opportunity for an even bigger and more detrimental attack in the future.

The Royal Institure of International Affairs - Chatham House;

Hannah Bryce is Assistant Head, International Security at Chatham House.

You Might Also Read: 

Industrial Robots Are A Security Weak Link:

Cybersecurity Has A Metrics Problem:

What Healthcare CISOs Should Know:

 

 

 

« Microsoft Buys Cybersecurity Firm
Ethical Hacking Can Beat Black Hat Hackers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cigniti Technologies

Cigniti Technologies

Cigniti Technologies provides Independent Software Testing (IST) Services including software security testing.

Exida

Exida

Exida is a leading product certification and knowledge company specializing in industrial automation system safety, security, and availability.

SecureMetric Technology

SecureMetric Technology

SecureMetric is one of SE Asia’s leading players in the field of digital security with a focus on Software Licensing Protection, 2-Factor Authentication, Advanced Identity and Access Management, Publi

Cybernetic Global Intelligence (CGI)

Cybernetic Global Intelligence (CGI)

CGI is a global IT Security firm that helps companies protect their data and minimize their vulnerability to cyber threats through a range of services such as Security Audits and Managed Services.

Echoworx

Echoworx

Echoworx primary and exclusive focus is providing organizations with secure email services.

Armis

Armis

Armis offers the markets leading asset intelligence platform designed to address the new threat landscape that connected devices create.

Enterprise Ethereum Alliance (EEA)

Enterprise Ethereum Alliance (EEA)

EEA is a member-led industry organization whose objective is to drive the use of Ethereum blockchain technology as an open-standard to empower ALL enterprises.

Invest Ottawa

Invest Ottawa

The IO Accelerator Program is designed to rapidly and systematically accelerate the development and commercial success of high growth technology firms.

Citalid

Citalid

The Citalid cyber risk management platform combines threat and business intelligence to identify the risks scenarios you face.

Mjenzi Cloud

Mjenzi Cloud

Mjenzi Cloud is a provider of cloud IaaS solutions including managed backup services, affordable & secure cloud virtual compute/storage/compute services, bare-metal services and cloud security.

Neosecure

Neosecure

NeoSecure is a specialist Cybersecurity Solutions and Managed Services provider in Latin America.

Enso Security

Enso Security

Enso is the first Application Security Posture Management (ASPM) solution, helping security teams everywhere eliminate their AppSec chaos with application discovery, classification and management.

Otorio

Otorio

OTORIO delivers industrial cybersecurity and digital risk-management solutions and services. We help our customers to keep their revenue-generating operations resilient, efficient, and safe.

inWebo

inWebo

inWebo is the specialist in multi-factor strong authentication (MFA). We guarantee the security of data and identities in a digital world with increasingly important economic and political stakes.

Lansweeper

Lansweeper

Lansweeper is an IT Asset Management platform provider helping businesses better understand, manage and protect their IT devices and network.

Sansec Technology

Sansec Technology

Sansec Technology is dedicated to the research and development of cryptographic products and solutions for cyber security.