Consumers could turn their backs on the Internet of Things if companies creating a connected world fail to take their security concerns seriously
The Internet of Things (IoT) is the hottest sector in tech right now. It connects everyday objects to the web. The Nest thermostat allows you to control your home heating system via a smartphone app. Google loved the idea so much it splashed out $3.2 billion on Nest.
Anything can be hooked up. There are internet-connected kettles, which can boil via remote command; CCTV cameras let the owner view footage from anywhere in the world; and IoT plant pots dribble water into the soil according to a programmed schedule. There are IoT fridges, bathroom scales and garden sprinklers.
Cars are connected in multiple ways. Volvo embeds crash-reporting systems in its vehicles. In the event of a collision the car automatically dials the emergency services, complete with GPS location. Tesla cars update wirelessly.
An upgrade to the power management system improved the 0 to 60mph performance by a 10th of a second. Owners woke up one morning to find their cars were more fuel-efficient. The problem? In a word: security. It’s terrible.
When IoT goes wrong
Last year, Fiat Chrysler recalled 1.4 million Jeep Cherokees in the US after researchers proved the vehicles could be hacked through their internet connection. The hijackers seized control of the air conditioning, the wipers, the steering wheel – and terrifyingly – the brakes. It would be possible to accelerate to 100mph and slam the car into oncoming traffic. Even the Tesla Model S – the most secure model on the road – has been successfully hacked.
Home webcams are rich targets for hackers. They hunt for footage of attractive females and share images of their ‘slaves’ on internet forums.
Security firm Pen Test Partners hacked a children’s doll called My Friend Cayla. With a bit of tinkering the doll was reprogrammed to “swear like a docker, a very sweary docker at that”. How big is the security issue? Huge.
A survey by HP showed 70% of IoT devices had major security flaws. Security firm Symantec looked at 50 smart devices.
None enforced strong passwords, used mutual authentication or protected accounts against brute-force attacks. This failure isn’t a secret. The cybersecurity body (ISC)2 openly admits the industry is plagued by vulnerabilities.
European Managing Director Dr Adrian Davis explains: “Unfortunately, many IoT devices, from cars and insulin pumps to curtains and industrial machinery, are not designed for security but for ease of use, and the ability to function with minimal human oversight. Many new connected devices are designed by people who are either ignorant of security or believe security is not necessary, so they are building devices that are easy to attack.”
The potential for mayhem
The potential for mayhem is disturbing. Adrian Sanabria of 451 Research has looked at many scenarios: “Someone could take remote control of a mining truck and go amok; kill the heat in your house in the winter; access security cameras remotely without proper authorisation; and open doors that aren’t yours via the internet.”
Kevin Bocek, Vice President of Security Strategy at cyber-security provider Venafi, offers this scenario: “A dosage tracking system is a wearable device worn by patients that relays personalised medicine dosage information.
“There is potential for this technology to dramatically improve patient care services and even reduce the amount of medicine-related incidents. But if a hacker were to intercept traffic between the dosage tracker and trusted communications networks, they could make the device relay lethal doses of medication to a patient.” Former US Vice President Dick Cheney had his pacemaker’s wireless function disconnected to avoid hackers.
These examples are all at the consumer level. The IoT is also used for industrial applications such as running power stations and hospitals. The danger in this context is elevated. The Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoin to hijackers who locked files through a remote attack.
Nurses were reduced to using pen and paper to record patient notes, and sending them via fax. Researchers at the University of Michigan demonstrated how to hack 100 wirelessly connected traffic lights to change from green to red on command. The new trend is for hackers to use IoT devices as launchpads for other attacks. In October a Distributed Denial of Service attack was launched. This is when a website is flooded with traffic, overwhelming it. Normally, Distributed Denial of Service attacks are launched from infected PCs. This time the attack came from 900 CCTV cameras across the globe. Their operating system was sophisticated enough to make web requests. The malefactors responsible clearly found the cameras an easier target than computers running anti-virus and firewalls.
If the IoT industry can’t fix these issues, then consumer confidence may wane. A survey by Fortinet found 68% of homeowners are concerned about a data breach from a connected device. A report by Veracode shows half of British drivers are worried about the threat of a cyber-attack. The German automotive industry association says that carmakers think it could take three years for security to be safe from hackers.
There’s one further twist in the story. It may not be hackers doing the spying. It may be the device-makers. Samsung got into hot water last year when it admitted its smart TVs were listening to consumers.
Users had (inadvertently) consented: the user licence agreement clearly stated: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to third parties through your use of Voice Recognition.” Samsung insisted all data is anonymised, and is merely used to refine the service. Security agencies may order device-makers to spy on customers. US Director of National Intelligence James Clapper told a Senate panel in February: “In the future, intelligence services might use the [Internet of Things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”
When your phone, TV, and even your child’s doll can eavesdrop, then security is a huge issue. Hackers can use a single flaw in pretty much any device to gain control of your home network. American security agencies, or the device-makers, may be the ones doing the spying. The IoT has incredible potential, but if the industry doesn’t address security concerns, consumers will start to abandon this most promising of technologies.
The expert’s view
Alex Baleta, Corporate Finance, Grant Thornton UK LLP:
Considering that the World Economic Forum and Cisco predict that there will be more than 50 billion connected devices by 2020 and an unprecedented exchange of personal and public data, one can hardly imagine the scale and complexity of cyber-crime in the future world of IoT.
Businesses and individuals often don’t realise how exposed and vulnerable they are: even a toaster in a ‘smart’ home could provide access to your personal data. ‘Intelligent’ cars reveal your whereabouts, and the bank account or credit card details used for parking charges will be at risk if adequate security is lacking.
As data leaks and cyber-crime become more common, increasing emphasis is placed on network, device and data security, trying to find out how best to secure people and business in the connected world. Blockchain is a leading example of how financial transactions can be made as secure as possible in a virtual global ledger; its approach to data and transaction security could be applied across other industries.
At present security features and technology are playing catch-up with IoT, where the pace of adoption is simply too fast to predict what’s next.
Illustration: Kyle Bean