With the arrival of the IoT and billions of new Internet-connected machines, appliances, sensors, “things,” robots, and devices, cybersecurity has become a near impossibility.
Securing Internet and communications technology has been an ongoing battle since the beginning of the digital age. For example, in 2013 (well before the IoT), Desert News reported there were 20 million and counting malicious attacks per day on Utah’s government networks. Predictions for the number of IoT connected “things” range from 20-50 billion by 2020, and each “thing” and every communication is potentially hackable. Clearly cyber security is a problem that is not going away anytime soon. According to a recent Wall Street Journal article, in a notice sent out to private companies, the FBI warned,
“The exploitation of the ‘Internet of Things’ (IoT) to conduct small-to-large scale attacks on the private industry will very likely continue.”
Even companies anxious to get on board with the IoT admit they are not prepared for the cyber risks that will result from this degree of connectivity. In How the Internet of Things will affect security & privacy author, Andrew Meola, states,
AT&T’s Cybersecurity Insights Report surveyed more than 5,000 enterprises around the world and found that 85% of enterprises are in the process of or intend to deploy IoT devices. Yet a mere 10% of those surveyed feel confident that they could secure those devices against hackers.
Cyber vulnerability cannot be detected until there is an actual attack. First an IoT machine or “thing” is built. Then (potentially) comes a cyber attack. And last, the “patch,” aka, the fix. Due to the ingenuity of hackers, the ever-evolving nature of digital technology, and the fact that many systems cannot be shut down to enable a patch, we will at best always be in a reactive stance, responding as breaches occur. As explained by reporter Danny Palmer in a recent article about IoT security,
Retrofitting updates via the use of patches might work for a PC, a laptop or even a smartphone, but there are huge swathes of devices — and even whole internet-connected industrial or urban facilities — for which being shutdown in order to install and update is impossible,
Beyond the increase in hacking enabled by the IoT, the nature of the attacks has also changed. Before the IoT, attacks involved stolen data, such as personal identifying information, credit cards, and so forth. In an IoT world, attacks become far more impactful and devastating. Bruce Schneier explains,
With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the Internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.”
Restated by Schneier: “Give the internet hands and feet, and it will have the ability to punch and kick.”
Schneier goes on:
“Today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway. We’re worried about manipulated counts from electronic voting machines, frozen water pipes through hacked thermostats, and remote murder through hacked medical devices. The possibilities are pretty literally endless. The Internet of Things will allow for attacks we can’t even imagine.”
For more about how cyber physical systems of the IoT will likely cause real world cyber attacks, please see The Internet of Things Will Cause the First Ever Large Scale Internet disaster.
As things stand now in the IoT-wild west, our 21st century gold rush, no one is ensuring that our software-embedded technologies are secure. Start-up companies lack resources, motivation, or personnel to properly secure software-embedded technologies. The bottom line is, profit trumps cyber security. Mikko Hyppönen, chief research officer at F-Secure states,
“Cybersecurity isn’t a selling point for a washing machine, so why would manufacturers invest money in it?”
And the US government is by no means stepping up to the plate to incentivize companies to do so.
The following are some reasons for these gaping holes in IoT cybersecurity.
1. Speed of deployment
In the US, government and industry are hell-bent on “leading the world” in 5G and have no intention of letting regulations get in their way. In his June 20, 2016 talk, The Future of Wireless: A Vision for U.S. Leadership in a 5G World, former FCC Chair Tom Wheeler boasted,
If the Commission approves my proposal next month, the United States will be the first country in the world to open up high-band spectrum for 5G networks and applications. And that’s damn important because it means U.S. companies will be first out of the gate.
In this same talk, Wheeler also rallies the wireless industry to
“Lead the world in spectrum availability, encourage and protect innovation-driving competition, and stay out of the way of technological development. [Emphasis added]”
Wheeler then adds,
“Turning innovators loose is far preferable to expecting committees and regulators to define the future.”
Whereas other countries, such as New Zealand and India, are now conducting studies to ensure public safety, the US – in its mad rush – has chosen profit over safety. But unfortunately, our security experts cannot keep up with this race to the top. Joshua Corman, Director of the Cyber Statecraft Initiative for the Atlantic Council, and cofounder of I am the Cavalry, writes in Welcome to the Privacy Hell, Also Known as the Internet of Things,
“With IoT manufacturers far outweighing cyber security researchers, how will privacy and safety safeguards keep up?”
For a more in depth discussion of this please see: “IoT Growing Faster than the Ability to Defend it.”
Another reason for our government’s reticence to secure the IoT is that a difficult-to-hack IoT would also prevent law enforcement and government agencies from accessing data they feel is necessary to “keep our country safe.” Recall the recent back and forth between the FBI and Apple in the wake of the San Bernadino shooting.
2. No mechanism to update machines and devices
We regularly receive updates on our computers as new vulnerabilities are discovered and defended against. The Internet of connected machines, appliances, and “things” has no such mechanism for updates and patching. Once an IoT product becomes infected, it cannot be fixed. This presents no real loss for companies as this will keep people coming back for more, however, is not so great for consumers or the environment. Another vector of attack is on computer hardware, and according to Schneier, this kind of vulnerability is extremely difficult to patch.
3. We cannot predict how technologies will impact one another
Even if a company were to build cybersecurity into the software of a particular machine, appliance, “thing,” or application, no one can predict how that particular technology will impact other technologies. What might seem fine in one system, when combined with other systems, can prove harmful. Bruce Schneier gives some examples of this:
Already we’ve seen Gmail accounts compromised through vulnerabilities in Samsung smart refrigerators, hospital IT networks compromised through vulnerabilities in medical devices, and Target Corporation hacked through a vulnerability in its HVAC system. Systems are filled with externalities that affect other systems in unforeseen and potentially harmful ways . . . Vulnerabilities on one system cascade into other systems, and the result is vulnerability that no one saw coming and no one bears responsibility for fixing.
In addition to complications stemming from the interaction of systems, in a recent Motherboard article, The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters, author Bruce Schneier states that companies are just not motivated to secure their products:
“the risks and solutions are too technical for most people and organizations to understand; companies are motivated to hide the insecurity of their own systems from their customers, their users, and the public.”
So who IS overseeing IoT cybersecurity?
The bottom line is that neither government nor industry is securing the IoT. Foreseeing as early as 2013 the dangers the IoT would present, Corman and fellow researchers set out to discover who the “thinkers and planners” behind the IoT were, and what they were doing to prevent hacking or catastrophic cyber attacks. But after going “higher and higher” in the IoT world, they realized, there was no one even attempting to protect the public. As Joshua Corman put it:
“We got to the adults in the room and realized there were no adults.”
A recent Reuter’s article, quotes Trent Telford, CEO of Covata, an Internet security firm, saying:
“The harsh reality is that cybersecurity is not even on the radar of many manufacturers.”
What is the trend?
In 2016, we experienced the first large-scale cyber attack enabled by IoT connected devices, Mirai. Twitter, Reddit, Spotify, and Github were among the many websites and services that were taken down. Since then, there has been a parade of large scale cyber attacks. In 2017 alone there was WannaCry, Petya, Wikileaks CIA “Vault 7”, Cloudbleed, Voter records exposed, Macron Campaign Hack, to name a few. What can we expect in 2018? Many experts are predicting big cyber attacks in 2018.
In We Need to Save the Internet from the Internet of Things, Bruce Schneier writes:
What this [Mirai] attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can’t get fixed on its own.
Schneier then goes on to point out that even if government were to step in and propose some parameters to secure the IoT, this would only affect the Internet in the US.
“The Internet is global, and attackers can just as easily build a botnet out of IoT devices from Asia as from the United States.”
And if, hypothetically, other governments did regulate cyber security in the Iot, as mentioned before, there would still be
- No mechanism for software updates for IoT products
- Vulnerabilities from IoT products impacting each other in unexpected ways
- No way to prevent attacks, but just ways we can respond after attacks.
Corman sums up the current state of affairs:
If it’s software, it’s hackable — If it’s connected, it’s exposed.
By far, the best way to protect ourselves from cyber attacks is to simply not buy into the IoT, either figuratively or literally, and to hardwire devices wherever possible.