The Internet of Things (IoT) promises to revolutionize our businesses and lives. According to tech research firm Gartner Inc.; on an average day this year, 5.5 million new products of all types will be connected to the Internet. By the end of the year, 6.4 billion devices will be networked, an increase of 30 percent from last year, with the number jumping to a staggering 20.8 billion by the end of the decade.
What types of "things" are being connected to the Internet of Things? The list includes baby monitors, wearable fitness trackers, medical devices, closed-circuit security cameras, burglar alarms, smart thermostats, cars, toasters, refrigerators, dishwashers, smart TVs, smart watches, digital cameras, pet collars, electronic gadgets, factory equipment, power grids, water filters, and more.
McKinsey & Company's Global Institute found that the total economic benefit of IoT in 2025 could be from $3.9 trillion to $11.1 trillion per year.
While this technology will open many opportunities for wealth creation, not all of those opportunities will be legal ones. Just as legitimate businesses and entrepreneurs are working on ways to make money from the Internet of Things, cyber thieves are equally enthusiastic about its potential.
Clearly, the risk is not that criminals will hack into your appliances in order to burn your toast or melt your ice cream, although they will certainly have that capability. The real threat is that they will use weakly protected appliances as portals into your home network, where they will steal personal and financial information stored on your laptop to commit identity theft and banking fraud.
As the FBI recently announced: "Deficient security capabilities and difficulties for patching vulnerabilities in [IoT] devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices.2 Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam emails, steal personal information, or interfere with physical safety. The main IoT risks include:
- An exploitation of the Universal Plug and Play protocol (UPnP) to gain access to many IoT devices. [This protocol] describes the process when a device remotely connects and communicates on a network automatically without authentication. UPnP is designed to self-configure when attached to an IP address, making it vulnerable to exploitation. Cyber actors can change the configuration, and run commands on the devices, potentially enabling the devices to harvest sensitive information or conduct attacks against homes and businesses, or engage in digital eavesdropping.
- An exploitation of default passwords to send malicious and spam emails, or steal personally identifiable information or credit card information.
- Compromising the IoT device to cause physical harm.
- Overloading the devices to render the device inoperable.
- Interfering with business transactions." Even a seemingly benign technology like the motion sensor within a smart watch can be subverted from tracking your fitness goals to monitoring the movements of your hand as you enter a password that unlocks access to your credit card.
Also, hackers can gain control over IoT devices to create a botnet-defined as "a network of private computers infected with malicious software and controlled as a group without the owners' knowledge," which can be used to distribute spam emails or launch a denial of service attack.
Two years ago, the security firm Proofpoint identified what it called the "first IoT botnet," in which more than one-fourth of the devices were baby monitors, televisions, and other nontraditional computing devices.
This year, Sucuri Security discovered a botnet consisting of more than 25,500 hacked closed-circuit security cameras that were being used to target business websites with denial of service attacks.
Such cameras are particularly tempting targets to hackers because nearly 250 million professionally installed units were in use last year, with countless other cameras deployed by consumers-and since the default passwords are rarely changed, anyone can access them.
But the biggest threat isn't the potential loss of privacy or financial information. Attacks enabled by the IoT's weak security protocols could cause the loss of human lives.
According to a post on ZDNet, Internet security expert Bruce Schneier warned about the vulnerabilities of connected cars at a recent InfoSecurity Europe conference: "When you start thinking about a car, you quickly realize the integrity and vulnerability threats are much worse than confidentiality threats and there's real risks to life and property here."
He pointed out that even though it would be bad for hackers to invade the privacy of drivers, "It'd be really bad if they could disable the brakes. It'd be really bad-and it'll happen in a year or two-when someone figures out how to apply ransomware to the CPUs of cars. That's not going to be fun, but as long as there are computers it'll happen."
Ransomware is a type of hacker attack in which the intruder disables the victim's computer, phone, or car, demanding payment of hundreds or thousands of dollars to restore access to the victim's data or control of the brakes and steering wheel. Symantec estimates that extortionists collect more than $5 million each year from victims, and in many instances, they don't hold up their end of the bargain and unlock the data.
But if you think this type of threat doesn't apply to your car, you're wrong. Hackers could easily seize control of a car's brakes or acceleration and demand an immediate payment to prevent a collision.
This isn't just speculation; experiments by computer experts outside the automobile industry have proven that it can be done. In 2011, researchers from the University of California at San Diego and the University of Washington demonstrated that they were able to remotely disable the locks and the brakes on a Chevrolet Impala.
Last year, Wired reported that a pair of "white hat" hackers, Chris Valasek and Charlie Miller, had figured out how to remotely control a Jeep Cherokee.7 One of its reporters drove the Cherokee on a St. Louis highway while the hackers sat on their couch and cranked up the SUV's air conditioning, blasted rap music on its sound system, and turned on the windshield wipers, while the driver sat helpless to override their commands.
Those were minor annoyances compared to the hackers' next stunt: They shut down the Cherokee's transmission, disabling the driver's accelerator so that it slowed to a crawl, while an 18-wheel semi behind it narrowly averted slamming into the disabled vehicle. They also disconnected the Jeep's brakes, causing the driver to pump the brakes in vain as it skidded into a ditch.
Valasek and Miller say they exploited a vulnerability in the computer network, called a CAN bus, that is used to issue commands to the engines, brakes, and tires. After the breach became public, FiatChrysler responded by recalling 1.4 million vehicles to fix the problem. But because not every owner responds to a recall, many of the vulnerable vehicles are likely still on the road.
Valasek and Miller, who were recently hired by Uber's Advanced Technology Center, subsequently figured out how to trigger the acceleration or seize control of the steering wheel, allowing them to whip the Jeep into a 180-degree turn in traffic, with potentially fatal consequences for the helpless driver and passengers.
Meanwhile, in August 2016, a team of scientists from the University of Michigan announced that they had hacked into a truck to change the displays on the dashboard instrument panel so that they could make an empty fuel tank appear to be full; speed up the truck despite the driver's attempts to slow it down; and turn off one of the truck's braking systems.
According to Michigan researcher Bill Hass, "These trucks carry hazard chemicals and large loads. And they're the backbone of our economy. If you can cause them to have unintended acceleration...I don't think it's too hard to figure out how many bad things could happen with this."
Hacking into trucks is actually simpler than attacking cars because different car manufacturers use different types of communications systems. However, all trucks and school buses use a shared communication standard called J1939, so once a criminal or terrorist organization learns how to penetrate the software, it could cause a catastrophe by causing thousands of trucks to accelerate and plow into vehicles in front of them, or it could shut down a fleet of trucks in traffic while issuing a demand for ransom.
Based on our analysis of this trend, we offer the following forecasts:
First, manufacturers and consumers will balance the desire for connectivity with the need for security.
The problem is that manufacturers are racing each other to push connected products onto the market. In most cases, they're not taking the time to worry about security or consumer privacy-and even the flimsy security protocols that are in place are frequently ignored by end users:
In fact, most purchasers of connected products fail to reset the default password, leaving the entire home just as vulnerable to intruders as if the front door were left wide open all day and all night. In the case of vehicles, a survey by Kelley Blue Book found that 42 percent of its users, and 60 percent of Millennials, want their cars to become more connected. Yet, about two-thirds believe that those cars will be easy targets for cyber criminals.
Second, companies that provide top-notch security for IoT devices will reap big profits.
The entire market for Internet security is expected to grow to $170 billion by 2020. Security for the Internet of Things accounts for 9 percent of the total market, and by 2020 it is likely to reach at least 16 percent. Projections by the research firm MarketsandMarkets reveal that the IoT security market is expected to grow from $6.89 billion in 2015 to $28.9 billion by 2020, at a compound annual growth rate of 33.2 percent from 2015 to 2020. Two companies to watch in this space are Gemalto and Microsoft. Gemalto is a company that provides security for mobile payments.
It is extending its Secure Element platform to car manufacturers and utility companies. The supposedly tamper-proof technology is embedded in devices to provide security by encrypting data and limiting access from one connected device to another. Microsoft is including BitLocker encryption and Secure Boot technology into its Windows 10 IoT operating system for IoT devices.
BitLocker can encrypt entire disk volumes to keep data protected from intrusions, while Secure Boot prevents PCs from being hijacked by ensuring that they boot only with trusted software.
Third, businesses and individuals will suffer breaches via IoT devices unless they make an effort to focus on the security of every object they connect to the Internet.
The FBI recommends that people take the following precautions:
- "Isolate IoT devices on their own protected networks.
- Disable UPnP on routers.
- Consider whether IoT devices are ideal for their intended purpose.
- Purchase IoT devices from manufacturers with a track record of providing secure devices.
- When available, update IoT devices with security patches.
- Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
- Use current best practices when connecting IoT devices to wireless networks, and when connecting remotely to an IoT device.
- Patients should be informed about the capabilities of any medical devices prescribed for at-home use. If the device is capable of remote operation or transmission of data, it could be a target for a malicious actor.
- [The FBI recommends] all default passwords [be] changed to strong passwords. Do not use the default password determined by the device manufacturer.
Fourth, car and truck manufacturers will place a major emphasis on IoT security as the market for connected vehicles explodes.
Josh Corman, co-founder of an IoT security organization called I Am the Cavalry, cautions that vehicle manufacturers are "getting worse faster than they're getting better. If it takes a year to introduce a new hackable feature, then it takes them four to five years to protect it."
According to Wired, the organization recommends that manufacturers follow five recommendations: "safer design to reduce attack points, third-party testing, internal monitoring systems, segmented architecture to limit the damage from any successful penetration, and the same internet-enabled security software updates that PCs now receive."
Fortunately, some manufacturers are starting to make progress. Ford and BMW are now starting to send software updates over the Internet, rather than requiring car owners to visit dealers or mechanics. Chrysler recently announced a "bug bounty" program that offers cash rewards to hackers who tell the company about vulnerabilities that can be hacked in its vehicles.