The Internet of Things Will Be Even More Vulnerable to Cyber Attacks

Uploaded on 2017-06-05 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Health & Welfare, TECHNOLOGY-Key Areas-Internet of Things, TECHNOLOGY--Developments

As more smart devices with weak or no security connect to the internet, the world will become more exposed to attacks like the ransomware that hit Britain’s NHS.

The recent global ransomware attack, which affected organizations around the world including Britain’s National Health Service, was the first real illustration for many people of the scale and physical consequences a cyber attack might present. Criminal hackers exploited a flaw in ‘retired’ Microsoft software, which is not routinely updated and patched for security, to infect computers with the WannaCry ransomware.

But what if devices were even more vulnerable, running with no built-in security and no opportunity to patch? This is the problem that that the so-called internet of things (IOT) presents. With an anticipated 22.5 billion devices due to be connected to the internet by 2021, the opportunity for holding these devices to ransom will present significant opportunities to criminals and will have serious consequences for providers and users of these devices.

Last year the massive Distributed Denial of Service (DDoS) attack that brought down the Dyn Domain Name System (DNS) service illustrated the vulnerability of certain platforms to attacks using the IoT.  During that attack the perpetrators managed to deny access to major platforms like Twitter, Netflix and Facebook for some hours. It was made possible through harnessing poorly protected household devices such as security CCTV and baby monitors which still had the factory password programmed or no built in security.

This attack was significant and cost Dyn clients but it didn’t have an impact on critical infrastructure such as hospitals and doctors’ surgeries in the way this current attack has, where denying access to patient records could delay essential treatment. But the IOT has had and could have further significant physical consequences, when even the most benign of objects can be weaponized.

This week an 11-year-old boy demonstrated the vulnerability of the IOT to weaponization by hacking into the devices of an audience attending a cyber security conference to operate his teddy bear.  Similarly earlier this year the German Federal Network Agency advised parents to destroy the Cayla doll because of its demonstrated vulnerability to being hacked. Smart thermostats have been demonstrated as hackable, as have cars, baby monitors and televisions.

Self-driving cars are already being tested on the streets and it is estimated that there will be 10 million self-driving cars on the roads by 2020. Self-driving cars are part of the so called Internet of Automotive Things (IoAT), a network of sensors and computer processes that will likely reduce accidents caused by human error and ultimately make the roads a safer place. They will also be securely designed and better protected with the capacity to patch and update security software but they will not be impervious to hacking – nothing is. Imagine if your car could be effectively hijacked through the software it operates with. Imagine if it could change your destination, your speed and direction, or if it simply locked you out of your own vehicle.

Indeed there are similar risks and vulnerabilities posed wherever the use of sensors and software are applied. As security expert Bruce Schneier puts it: 'We no longer have things with computers embedded in them. We have computers with things attached to them.' This includes increasingly household fixtures, implanted and wearable medical devices, smart cities where public services utilize technology with the aim of improving efficiency and quality, and critical national infrastructure, such as power grids and railway systems.  

While there is research being done into the security implications of the IOT, many devices are already on the market and in people’s homes. Even when obsolete and out of use, the sensors may still present vulnerabilities that can be exploited by those who wish to hack into networked systems.  Standards for security need to be enforced before a major hack that has more serious consequences for the consumer is perpetrated through the IOT. If that happens, public trust in this booming economy will likely be undermined.

One approach to driving up standards in cyber security is through the insurance industry. Firms such as QBE and AIG have been examining the role that they can have in protecting consumers and companies against cyber threats, contributing to the development of a required culture of cyber security that ceases to prioritize the affordability of products over security. This means the mainstreaming of cyber security in all aspects and throughout all strata of business, industry and services.

Governments could also play a more involved role in regulating industry and enforcing minimum security standards. Without a more robust approach to protecting the IOT the answers will likely instead play out in court with liability being determined after the fact and with damage already done.

Ultimately the most powerful driver of change may come through increased consumer awareness of the security threats and demands for improved security standards. Perhaps this recent attack will spur such awareness. Without more vigilance, the IOT could provide an opportunity for an even bigger and more detrimental attack in the future.

The Royal Institure of International Affairs - Chatham House;

Hannah Bryce is Assistant Head, International Security at Chatham House.

You Might Also Read: 

Industrial Robots Are A Security Weak Link:

Cybersecurity Has A Metrics Problem:

What Healthcare CISOs Should Know:

 

 

 

« Microsoft Buys Cybersecurity Firm
Ethical Hacking Can Beat Black Hat Hackers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Group-IB

Group-IB

Group-IB is a leading provider of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property.

Information Security Forum (ISF)

Information Security Forum (ISF)

The ISF is a leading authority on information security and risk management.

Dcoya

Dcoya

Dcoya's complete security awareness training program gives you out-of-the-box compliance with PCI-DSS, HIPAA, SOX and ISO regulations.

Monster Jobs

Monster Jobs

Monster is a global leader in connecting people to jobs, wherever they are. Monster covers all job sectors including cybersecurity in locations around the world.

Cybil

Cybil

Cybil is a publicly-available portal where members of the international cyber capacity building community can find and share information to support the design and delivery of programs and projects.

Cyber Range Malaysia

Cyber Range Malaysia

With Cyber Range Malaysia organizations can train their security professionals in empirically valid cyber war-gaming scenarios necessary to develop IT staff skills and instincts for defensive action.

Depth Security

Depth Security

Depth Security assessment services provide organizations with real-world visibility into threats facing their infrastructure and applications.

Isovalent

Isovalent

Isovalent deliver the most advanced Kubernetes networking & security capabilities to the most demanding of enterprise users.

ImmuniWeb

ImmuniWeb

We Simplify, Accelerate and Reduce Costs of Security Testing, Protection and Compliance.

Input Output (IOHK)

Input Output (IOHK)

IOHK is one of the world's pre-eminent blockchain infrastructure research and engineering companies.

Mindaro Insurance

Mindaro Insurance

Mindaro is adding the crucial piece of the cyber security puzzle that protects your organization from the financial ramifications of cyber attacks.

watchTowr

watchTowr

Continuous Attack Surface Testing, with the watchTowr Platform. The future of Attack Surface Management.

Flat6Labs

Flat6Labs

Flat6Labs is the MENA region’s leading seed and early stage venture capital firm, currently running the most renowned startup programs in the region.

RapidSpike

RapidSpike

RapidSpike is the only website monitoring solution that focuses all three key aspects of website health: performance, reliability AND security.

Cyber & Data Protection

Cyber & Data Protection

Cyber & Data Protection Limited supports Charities, Educational Trusts and Private Schools, Hospitality and Legal organisations by keeping their data secure and usable.

Ventum Consulting

Ventum Consulting

Ventum Consulting stands for digitalization, networking and agilization. We take this up on the strategic, professional and technical side and support our customers in the digital transformation.