The Internet of Things Will Be Even More Vulnerable to Cyber Attacks

As more smart devices with weak or no security connect to the internet, the world will become more exposed to attacks like the ransomware that hit Britain’s NHS.

The recent global ransomware attack, which affected organizations around the world including Britain’s National Health Service, was the first real illustration for many people of the scale and physical consequences a cyber attack might present. Criminal hackers exploited a flaw in ‘retired’ Microsoft software, which is not routinely updated and patched for security, to infect computers with the WannaCry ransomware.

But what if devices were even more vulnerable, running with no built-in security and no opportunity to patch? This is the problem that that the so-called internet of things (IOT) presents. With an anticipated 22.5 billion devices due to be connected to the internet by 2021, the opportunity for holding these devices to ransom will present significant opportunities to criminals and will have serious consequences for providers and users of these devices.

Last year the massive Distributed Denial of Service (DDoS) attack that brought down the Dyn Domain Name System (DNS) service illustrated the vulnerability of certain platforms to attacks using the IoT.  During that attack the perpetrators managed to deny access to major platforms like Twitter, Netflix and Facebook for some hours. It was made possible through harnessing poorly protected household devices such as security CCTV and baby monitors which still had the factory password programmed or no built in security.

This attack was significant and cost Dyn clients but it didn’t have an impact on critical infrastructure such as hospitals and doctors’ surgeries in the way this current attack has, where denying access to patient records could delay essential treatment. But the IOT has had and could have further significant physical consequences, when even the most benign of objects can be weaponized.

This week an 11-year-old boy demonstrated the vulnerability of the IOT to weaponization by hacking into the devices of an audience attending a cyber security conference to operate his teddy bear.  Similarly earlier this year the German Federal Network Agency advised parents to destroy the Cayla doll because of its demonstrated vulnerability to being hacked. Smart thermostats have been demonstrated as hackable, as have cars, baby monitors and televisions.

Self-driving cars are already being tested on the streets and it is estimated that there will be 10 million self-driving cars on the roads by 2020. Self-driving cars are part of the so called Internet of Automotive Things (IoAT), a network of sensors and computer processes that will likely reduce accidents caused by human error and ultimately make the roads a safer place. They will also be securely designed and better protected with the capacity to patch and update security software but they will not be impervious to hacking – nothing is. Imagine if your car could be effectively hijacked through the software it operates with. Imagine if it could change your destination, your speed and direction, or if it simply locked you out of your own vehicle.

Indeed there are similar risks and vulnerabilities posed wherever the use of sensors and software are applied. As security expert Bruce Schneier puts it: 'We no longer have things with computers embedded in them. We have computers with things attached to them.' This includes increasingly household fixtures, implanted and wearable medical devices, smart cities where public services utilize technology with the aim of improving efficiency and quality, and critical national infrastructure, such as power grids and railway systems.  

While there is research being done into the security implications of the IOT, many devices are already on the market and in people’s homes. Even when obsolete and out of use, the sensors may still present vulnerabilities that can be exploited by those who wish to hack into networked systems.  Standards for security need to be enforced before a major hack that has more serious consequences for the consumer is perpetrated through the IOT. If that happens, public trust in this booming economy will likely be undermined.

One approach to driving up standards in cyber security is through the insurance industry. Firms such as QBE and AIG have been examining the role that they can have in protecting consumers and companies against cyber threats, contributing to the development of a required culture of cyber security that ceases to prioritize the affordability of products over security. This means the mainstreaming of cyber security in all aspects and throughout all strata of business, industry and services.

Governments could also play a more involved role in regulating industry and enforcing minimum security standards. Without a more robust approach to protecting the IOT the answers will likely instead play out in court with liability being determined after the fact and with damage already done.

Ultimately the most powerful driver of change may come through increased consumer awareness of the security threats and demands for improved security standards. Perhaps this recent attack will spur such awareness. Without more vigilance, the IOT could provide an opportunity for an even bigger and more detrimental attack in the future.

The Royal Institure of International Affairs - Chatham House;

Hannah Bryce is Assistant Head, International Security at Chatham House.

You Might Also Read: 

Industrial Robots Are A Security Weak Link:

Cybersecurity Has A Metrics Problem:

What Healthcare CISOs Should Know:

 

 

 

« Microsoft Buys Cybersecurity Firm
Ethical Hacking Can Beat Black Hat Hackers »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Black Hat Briefings

Black Hat Briefings

The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world.

Senetas

Senetas

Senetas is a leading developer and manufacturer of certified high-assurance encryption solutions, dedicated to protecting network transmitted data without compromising performance.

Prim'X Technologies

Prim'X Technologies

Prim'X Technologies provides information protection solutions to prevent unauthorised access to sensitive data.

Operational Center for Information Systems Security (COSSI)

Operational Center for Information Systems Security (COSSI)

COSSI is responsible for the detection and mitigation of cyber attacks directed at French Government information systems.

Japan Network Security Association (JNSA)

Japan Network Security Association (JNSA)

JNSA's goal is to promote standardization related to network security and to contribute to greater technological standards in the field.

CyberTrap

CyberTrap

CyberTrap is an advanced highly-interactive deception technology allowing real-time analysis and control of security breaches.

AVORD

AVORD

AVORD is a cloud-based security testing platform that allows clients to manage security testing requirements in a far more productive and efficient way.

Enet 1 Group1

Enet 1 Group1

Enet 1 Group audits, assesses, recommends, and delivers tested solutions for the ever-increasing threats to your critical systems and digital assets

Safetech Innovations

Safetech Innovations

Safetech Innovations is a team of cyber security experts, always at your service. We use human and cyber intelligence to help your business in uncertain times.

Hybrid Identity Protection Conference (HIP)

Hybrid Identity Protection Conference (HIP)

Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric cybersecurity practitioners charged with defending hybrid cloud environments.

Opticks Security

Opticks Security

Opticks provides fraud detection and monitoring solutions for leading brands. agencies and networks. Our relentless mission is to deliver reliable and innovative software to beat digital fraud.

Saporo

Saporo

Saporo helps organizations increase their cyber-resistance. Continuously map your attack surface and get the recommendations you need to make your organization more resistant to attacks.

SRG Security Resource Group

SRG Security Resource Group

SRG Security Resource Group is a Canadian company dedicated to providing world-class Physical and Cyber Security services.

Airiam

Airiam

Airiam provides cybersecurity, managed IT, consulting, incident response, and digital transformation services so you can focus on what matters most.

Eventus Security

Eventus Security

Eventus, are a team of highly skilled professionals who are committed to deliver excellence in next generation cyber security services and customized solutions for your enterprise.

SOCRadar

SOCRadar

SOCRadar is an Extended Threat Intelligence (XTI) SaaS platform that combines External Attack Surface Management (EASM), Digital Risk Protection Services (DRPS), and Cyber Threat Intelligence (CTI).