The Internet of Things Will Be Even More Vulnerable to Cyber Attacks

Uploaded on 2017-06-05 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Health & Welfare, TECHNOLOGY-Key Areas-Internet of Things, TECHNOLOGY--Developments

As more smart devices with weak or no security connect to the internet, the world will become more exposed to attacks like the ransomware that hit Britain’s NHS.

The recent global ransomware attack, which affected organizations around the world including Britain’s National Health Service, was the first real illustration for many people of the scale and physical consequences a cyber attack might present. Criminal hackers exploited a flaw in ‘retired’ Microsoft software, which is not routinely updated and patched for security, to infect computers with the WannaCry ransomware.

But what if devices were even more vulnerable, running with no built-in security and no opportunity to patch? This is the problem that that the so-called internet of things (IOT) presents. With an anticipated 22.5 billion devices due to be connected to the internet by 2021, the opportunity for holding these devices to ransom will present significant opportunities to criminals and will have serious consequences for providers and users of these devices.

Last year the massive Distributed Denial of Service (DDoS) attack that brought down the Dyn Domain Name System (DNS) service illustrated the vulnerability of certain platforms to attacks using the IoT.  During that attack the perpetrators managed to deny access to major platforms like Twitter, Netflix and Facebook for some hours. It was made possible through harnessing poorly protected household devices such as security CCTV and baby monitors which still had the factory password programmed or no built in security.

This attack was significant and cost Dyn clients but it didn’t have an impact on critical infrastructure such as hospitals and doctors’ surgeries in the way this current attack has, where denying access to patient records could delay essential treatment. But the IOT has had and could have further significant physical consequences, when even the most benign of objects can be weaponized.

This week an 11-year-old boy demonstrated the vulnerability of the IOT to weaponization by hacking into the devices of an audience attending a cyber security conference to operate his teddy bear.  Similarly earlier this year the German Federal Network Agency advised parents to destroy the Cayla doll because of its demonstrated vulnerability to being hacked. Smart thermostats have been demonstrated as hackable, as have cars, baby monitors and televisions.

Self-driving cars are already being tested on the streets and it is estimated that there will be 10 million self-driving cars on the roads by 2020. Self-driving cars are part of the so called Internet of Automotive Things (IoAT), a network of sensors and computer processes that will likely reduce accidents caused by human error and ultimately make the roads a safer place. They will also be securely designed and better protected with the capacity to patch and update security software but they will not be impervious to hacking – nothing is. Imagine if your car could be effectively hijacked through the software it operates with. Imagine if it could change your destination, your speed and direction, or if it simply locked you out of your own vehicle.

Indeed there are similar risks and vulnerabilities posed wherever the use of sensors and software are applied. As security expert Bruce Schneier puts it: 'We no longer have things with computers embedded in them. We have computers with things attached to them.' This includes increasingly household fixtures, implanted and wearable medical devices, smart cities where public services utilize technology with the aim of improving efficiency and quality, and critical national infrastructure, such as power grids and railway systems.  

While there is research being done into the security implications of the IOT, many devices are already on the market and in people’s homes. Even when obsolete and out of use, the sensors may still present vulnerabilities that can be exploited by those who wish to hack into networked systems.  Standards for security need to be enforced before a major hack that has more serious consequences for the consumer is perpetrated through the IOT. If that happens, public trust in this booming economy will likely be undermined.

One approach to driving up standards in cyber security is through the insurance industry. Firms such as QBE and AIG have been examining the role that they can have in protecting consumers and companies against cyber threats, contributing to the development of a required culture of cyber security that ceases to prioritize the affordability of products over security. This means the mainstreaming of cyber security in all aspects and throughout all strata of business, industry and services.

Governments could also play a more involved role in regulating industry and enforcing minimum security standards. Without a more robust approach to protecting the IOT the answers will likely instead play out in court with liability being determined after the fact and with damage already done.

Ultimately the most powerful driver of change may come through increased consumer awareness of the security threats and demands for improved security standards. Perhaps this recent attack will spur such awareness. Without more vigilance, the IOT could provide an opportunity for an even bigger and more detrimental attack in the future.

The Royal Institure of International Affairs - Chatham House;

Hannah Bryce is Assistant Head, International Security at Chatham House.

You Might Also Read: 

Industrial Robots Are A Security Weak Link:

Cybersecurity Has A Metrics Problem:

What Healthcare CISOs Should Know:

 

 

 

« Microsoft Buys Cybersecurity Firm
Ethical Hacking Can Beat Black Hat Hackers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The Networking People (TNP)

The Networking People (TNP)

TNP specialises in network consultancy and engineering services including information security.

Aurec

Aurec

Aurec provides specialist recruitment and contracting services including ICT professionals.

SecuPedia

SecuPedia

SecuPedia is a wiki-type platform that collects and provides the entire knowledge of security and IT security.

Covenco

Covenco

Covenco is a data management and IT infrastructure specialist. Working with customers to transform their IT environments, with data protection and security at the forefront of everything we do.

Deep Identity

Deep Identity

Deep Identity provide solutions to address identity governance and administration (IGA), compliance management and data governance requirements.

SecureNinja

SecureNinja

SecureNinja provides professional training, certifications & professional services related to all facets of Information Technology and Cyber Security.

TI Safe

TI Safe

TI Safe provide cybersecurity solutions for industrial networks of main critical infrastructures in Latin America.

Procilon Group

Procilon Group

Procilon Group specialize in the development of cryptographic software as well as strategic advice on information security and data protection.

Infosistem

Infosistem

Infosistem is a Croatian ICT company with extensive expertise and experience in enterprise and SMB ICT projects and solutions.

Edvance

Edvance

Edvance operates a range of cybersecurity businesses including value added cybersecurity solutions distribution, security technology innovation and development, and SaS solution offerings.

Assac Networks

Assac Networks

Assac Networks ShieldIT is an app that completely protects any BYOD smartphone from both tapping and hacking.

Early Birds

Early Birds

Early Birds is a Business to Business (B2B) marketplace for Innovators (Startups/Scaleups) and Early Adopters to exchange value early on.

Focal Point

Focal Point

We aspire to be the focal point for Medium and Small size companies providing 24/7 cyber security advice, services and solutions.

TAV Technologies

TAV Technologies

TAV Technologies is a provider of technology services to the aviation industry in areas including airport infrastructure systems, digital transformation and cybersecurity.

Nexon Asia Pacific

Nexon Asia Pacific

Nexon solutions include cloud infrastructure and services, unified communications, managed security services, business continuity, secured high-performance network and business applications.

Trellix

Trellix

Trellix is an extended detection and response (XDR) solutions provider created from a merger of McAfee Enterprise and FireEye Products.