The Internet of Things Will Be Even More Vulnerable to Cyber Attacks

As more smart devices with weak or no security connect to the internet, the world will become more exposed to attacks like the ransomware that hit Britain’s NHS.

The recent global ransomware attack, which affected organizations around the world including Britain’s National Health Service, was the first real illustration for many people of the scale and physical consequences a cyber attack might present. Criminal hackers exploited a flaw in ‘retired’ Microsoft software, which is not routinely updated and patched for security, to infect computers with the WannaCry ransomware.

But what if devices were even more vulnerable, running with no built-in security and no opportunity to patch? This is the problem that that the so-called internet of things (IOT) presents. With an anticipated 22.5 billion devices due to be connected to the internet by 2021, the opportunity for holding these devices to ransom will present significant opportunities to criminals and will have serious consequences for providers and users of these devices.

Last year the massive Distributed Denial of Service (DDoS) attack that brought down the Dyn Domain Name System (DNS) service illustrated the vulnerability of certain platforms to attacks using the IoT.  During that attack the perpetrators managed to deny access to major platforms like Twitter, Netflix and Facebook for some hours. It was made possible through harnessing poorly protected household devices such as security CCTV and baby monitors which still had the factory password programmed or no built in security.

This attack was significant and cost Dyn clients but it didn’t have an impact on critical infrastructure such as hospitals and doctors’ surgeries in the way this current attack has, where denying access to patient records could delay essential treatment. But the IOT has had and could have further significant physical consequences, when even the most benign of objects can be weaponized.

This week an 11-year-old boy demonstrated the vulnerability of the IOT to weaponization by hacking into the devices of an audience attending a cyber security conference to operate his teddy bear.  Similarly earlier this year the German Federal Network Agency advised parents to destroy the Cayla doll because of its demonstrated vulnerability to being hacked. Smart thermostats have been demonstrated as hackable, as have cars, baby monitors and televisions.

Self-driving cars are already being tested on the streets and it is estimated that there will be 10 million self-driving cars on the roads by 2020. Self-driving cars are part of the so called Internet of Automotive Things (IoAT), a network of sensors and computer processes that will likely reduce accidents caused by human error and ultimately make the roads a safer place. They will also be securely designed and better protected with the capacity to patch and update security software but they will not be impervious to hacking – nothing is. Imagine if your car could be effectively hijacked through the software it operates with. Imagine if it could change your destination, your speed and direction, or if it simply locked you out of your own vehicle.

Indeed there are similar risks and vulnerabilities posed wherever the use of sensors and software are applied. As security expert Bruce Schneier puts it: 'We no longer have things with computers embedded in them. We have computers with things attached to them.' This includes increasingly household fixtures, implanted and wearable medical devices, smart cities where public services utilize technology with the aim of improving efficiency and quality, and critical national infrastructure, such as power grids and railway systems.  

While there is research being done into the security implications of the IOT, many devices are already on the market and in people’s homes. Even when obsolete and out of use, the sensors may still present vulnerabilities that can be exploited by those who wish to hack into networked systems.  Standards for security need to be enforced before a major hack that has more serious consequences for the consumer is perpetrated through the IOT. If that happens, public trust in this booming economy will likely be undermined.

One approach to driving up standards in cyber security is through the insurance industry. Firms such as QBE and AIG have been examining the role that they can have in protecting consumers and companies against cyber threats, contributing to the development of a required culture of cyber security that ceases to prioritize the affordability of products over security. This means the mainstreaming of cyber security in all aspects and throughout all strata of business, industry and services.

Governments could also play a more involved role in regulating industry and enforcing minimum security standards. Without a more robust approach to protecting the IOT the answers will likely instead play out in court with liability being determined after the fact and with damage already done.

Ultimately the most powerful driver of change may come through increased consumer awareness of the security threats and demands for improved security standards. Perhaps this recent attack will spur such awareness. Without more vigilance, the IOT could provide an opportunity for an even bigger and more detrimental attack in the future.

The Royal Institure of International Affairs - Chatham House;

Hannah Bryce is Assistant Head, International Security at Chatham House.

You Might Also Read: 

Industrial Robots Are A Security Weak Link:

Cybersecurity Has A Metrics Problem:

What Healthcare CISOs Should Know:

 

 

 

« Microsoft Buys Cybersecurity Firm
Ethical Hacking Can Beat Black Hat Hackers »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Packet Storm

Packet Storm

Packet Storm is an online resource for security tools, whitepapers, exploits, and advisories on computer security issues.

Prim'X Technologies

Prim'X Technologies

Prim'X Technologies provides information protection solutions to prevent unauthorised access to sensitive data.

Avast Software

Avast Software

Avast Software is a security software company that develops antivirus software and internet security services.

SEPPmail

SEPPmail

SEPPmail is a patented e-mail encryption solution to secure your electronic communication.

Luxembourg Office of Accreditation & Surveillance (OLAS)

Luxembourg Office of Accreditation & Surveillance (OLAS)

OLAS is the national accreditation body for Luxembourg. The directory of members provides details of organisations offering certification services for ISO 27001.

Cyber Security Jobs

Cyber Security Jobs

Cyber Security Jobs was formed to help job seekers find jobs and recruiters fill cyber security job vacancies.

DataTribe

DataTribe

DataTribe is a cyber startup foundry, leveraging deep experience and expertise to build and launch successful product companies.

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst helps Canadians and Canadian companies seize the opportunities and tackle the challenges of cybersecurity.

Inpher

Inpher

Inpher has pioneered cryptographic Secret Computing® that enables advanced analytics and machine learning while keeping data private, secure, and distributed.

Oxford Internet Institute - University of Oxford

Oxford Internet Institute - University of Oxford

The Oxford Internet Institute is a multidisciplinary research and teaching department of the University of Oxford, dedicated to the social science of the Internet.

NewAE Technology

NewAE Technology

NewAE Technology is revolutionizing the hardware security market by making every engineer and designer aware of side-channel power analysis and glitching as important attack vectors.

Arcanna.ai

Arcanna.ai

Using a wide range of out-of-the box integrations, Arcanna.ai continuously learns from existing enterprise cybersecurity experts and scales your team’s capacity to deal with threats.

RiskSmart

RiskSmart

RiskSmart empower risk, compliance, and legal teams with a tech-led and data-driven platform designed to save time, reduce costs and add real value to businesses.

Cyber Capital Partners

Cyber Capital Partners

Cyber Capital Partners build strategic and financial partnerships with small and mid-sized cybersecurity companies in highly regulated markets.

ABM Technology Group

ABM Technology Group

ABM Technology Group (formerly True IT) provide business information technology services, solutions, and consulting for small to mid-sized organizations.

Vortacity Cyber

Vortacity Cyber

Vortacity is a boutique cybersecurity provider specializing in associations, nonprofits, and mission-based organizations.