The Internet of Things – A “Security Time Bomb”
With the arrival of the IoT and billions of new Internet-connected machines, appliances, sensors, “things,” robots, and devices, wirelessly trafficking data to and from the Cloud, the threat of devastating cyber attacks is on the rise. In fact, according to the The World Economic Forum’s Global Risks Report 2018, cyber security is the third greatest global risk of 2018 topped only by natural disasters and extreme weather conditions.
An Economic Times article titled, All of us are sitting on a ticking time bomb called the internet explains:
“The more connected the world gets, the more vulnerable it becomes.”
“The report warns that the world is on the brink of an exponential increase in attack targets, driven by the growth of the IoT market.
According to the Wall Street Journal, the FBI sent a note to private companies warning,
“The exploitation of the ‘Internet of Things’ (IoT) to conduct small-to-large scale attacks on the private industry will very likely continue.”
Cyber vulnerability cannot be detected until there is an actual attack. First an IoT machine or “thing” is built. Then (potentially) comes a cyber attack. And last, the “patch,” aka, the fix. Due to the ingenuity of hackers, the ever-evolving nature of digital technology, and the fact that many systems cannot be shut down to enable a patch, we will at best always be in a reactive stance – responding as breaches occur. As explained by reporter Danny Palmer in a recent article about IoT security,
Retrofitting updates via the use of patches might work for a PC, a laptop or even a smartphone, but there are huge swathes of devices — and even whole internet-connected industrial or urban facilities — for which being shutdown in order to install and update is impossible,
Beyond the increase in hacking enabled by the IoT, the nature of the attacks has also changed. Before the IoT, attacks involved stolen data, such as personal identifying information, credit cards, and so forth. In an IoT world, attacks become far more impactful and devastating. Bruce Schneier explains,
With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the Internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.”
Schneier goes on:
Today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway. We’re worried about manipulated counts from electronic voting machines, frozen water pipes through hacked thermostats, and remote murder through hacked medical devices. The possibilities are pretty literally endless. The Internet of Things will allow for attacks we can’t even imagine.
One rather innovative form of domestic abuse now becoming more common is to use IoT “things” as tools to torment.
For more about how cyber physical systems of the IoT will likely cause real world cyber attacks, please see The Internet of Things Will Cause the First Ever Large Scale Internet disaster.
Schneier explains that we will not be able to prevent cyber attacks, so the aim must be to build resilient systems so that little failures don’t “cascade to big failures.” “We’re not gonna make the system safe, but we can stem the catastrophes. We can make them fail securely.”
As things stand now in the IoT-wild west – our 21st century gold rush – no one is ensuring that our software-embedded technologies are secure. Start-up companies lack resources, motivation, or personnel to properly secure software-embedded technologies. And our government is asleep at the wheel with regard to regulating cyber security.
Following are some reasons for these gaping holes in IoT cybersecurity.
SPEED OF DEPLOYMENT
In the US, government and industry are hell-bent on “leading the world” in 5G and have no intention of letting regulations get in their way. In his June 20, 2016 talk, The Future of Wireless: A Vision for U.S. Leadership in a 5G World, former FCC Chair Tom Wheeler boasted,
“If the Commission approves my proposal next month, the United States will be the first country in the world to open up high-band spectrum for 5G networks and applications. And that’s damn important because it means U.S. companies will be first out of the gate.”
In this same talk, Wheeler rallies the wireless industry to
“Lead the world in spectrum availability, encourage and protect innovation-driving competition, and stay out of the way of technological development. [Emphasis added]”
and assures industry that,
“Turning innovators loose is far preferable to expecting committees and regulators to define the future.”
Whereas other countries, such as New Zealand and India, are now conducting studies to ensure public safety, the US – in its mad rush – has chosen profit over safety. But unfortunately, our security experts cannot keep up with this race to the top. Joshua Corman, Director of the Cyber Statecraft Initiative for the Atlantic Council, and cofounder of I am the Cavalry, writes in Welcome to the Privacy Hell, Also Known as the Internet of Things,
“With IoT manufacturers far outweighing cyber security researchers, how will privacy and safety safeguards keep up?”
For a more in depth discussion please see: “IoT Growing Faster than the Ability to Defend it.”
Another reason for our government’s reticence to secure the IoT is that a difficult-to-hack IoT would also prevent law enforcement and government agencies from accessing data they feel is necessary to “keep our country safe.”
HOW TECHNOLOGIES IMPACT ONE ANOTHER
Even if a company were to build cybersecurity into the software of a particular machine, appliance, “thing,” or application, no one can predict how that particular technology will impact other technologies. What might seem fine in one system, when combined with other systems, can prove devastating. Bruce Schneier offers a few examples:
Already we’ve seen Gmail accounts compromised through vulnerabilities in Samsung smart refrigerators, hospital IT networks compromised through vulnerabilities in medical devices, and Target Corporation hacked through a vulnerability in its HVAC system. Systems are filled with externalities that affect other systems in unforeseen and potentially harmful ways . . . Vulnerabilities on one system cascade into other systems, and the result is vulnerability that no one saw coming and no one bears responsibility for fixing.
Companies are also not motivated to secure their products and prefer to hide vulnerabilities. in a recent Motherboard article, The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters, Schneier states,
“The risks and solutions are too technical for most people and organizations to understand; companies are motivated to hide the insecurity of their own systems from their customers, their users, and the public.”
SO WHO IS OVERSEEING IOT CYBER SECURITY?
Government and industry are hell-bent on “leading the world” in 5G and have no intention of letting regulations get in the way. Former FCC Chair, Tom Wheeler stated, “Turning innovators loose is far preferable to expecting committees and regulators to define the future.”
In How to Keep the Internet of Things From Killing Us All, Schneier tells us,”It always takes government stepping in to say, ‘You must do this; you can’t do that; if you do these things, we’re allowed to sue.’”
Yet this is not so simple when policy makers have little will to step in, and even if they did, would have great difficulty grasping the intricacies involved in securing the IoT. In The Internet of Things Will Cause The first Ever Large Scale Internet Disaster, Schneier tells us that “The risks and solutions are too technical for most people and organizations to understand; companies are motivated to hide the insecurity of their own systems from their customers, their users, and the public.”
Moreover, the Internet of Things is “growing faster than the ability to defend it” according to Larry Greenemeier from Scientific American and other experts. Basically, government oversight and regulation cannot keep pace with the exceedingly fast rate of change in technology.
The bottom line is that neither government nor industry is securing the IoT. Foreseeing as early as 2013 the dangers the IoT would present, Joshua Corman and fellow researchers set out to discover who the IoT “thinkers and planners” were, and what was being done to prevent hacking or catastrophic cyber attacks. But they soon realized there was no one even attempting to protect the public. As Corman put it:
“We got to the adults in the room and realized there were no adults.”
PREDICTIONS AND COST OF IOT CYBER SECURITY
Industry and government predict enormous economic growth from 5G and the IoT. But they forget to factor in the costs to try to secure all these IoT things and the mega financial losses in the wake of cyber attacks.
In 2016, we experienced the first large-scale cyber attack enabled by IoT connected devices, Mirai. Twitter, Reddit, Spotify, and Github were among the many websites and services that were taken down. Since then, there has been a parade of large scale cyber attacks. In 2017 alone there was WannaCry, Petya, Wikileaks CIA “Vault 7”, Cloudbleed, Voter records exposed, Macron Campaign Hack, to name a few. What can we expect in 2018? Many experts are predicting major cyber attacks in 2018.
“Cyberattacks are the fastest growing crime in the U.S., and they are increasing in size, sophistication and cost.”
With government watching from the sidelines as the world goes digital, the situation remains dire.
In We Need to Save the Internet from the Internet of Things, Bruce Schneier tells us,
“This is a market failure that can’t get fixed on its own.”
Furthermore, even if the US government were to attempt to secure the IoT, this would only affect the Internet in the US. But since the Internet is global, “Attackers can just as easily build a botnet out of IoT devices from Asia as from the United States,” Schneier explains.
Corman sums up the current state of affairs:
If it’s software, it’s hackable — If it’s connected, it’s exposed.
By far, the best way to protect ourselves from cyber attacks is to simply 1) not buy into the IoT, either figuratively or literally; 2) to hardwire devices wherever possible; and 3) to inform policy makers you do not support a tech-infested, Cloud-connected world.
ADDITIONAL RESOURCES ON IOT CYBER SECURITY