More and more, the physical world and the online world are intricately connected. Vital systems that support life and civilization are connected to the Internet--the power grid, sewers, transportation, and many others. And all that critical infrastructure is run by error-prone humans, meaning it's vulnerable to devastating cyberattacks.
On a more local, personal scale, an ever-increasing number of consumer gadgets and appliances are now equipped to communicate over the Internet. By 2020, market research firm IDC estimates, the so-called The Internet of Things will comprise 200 billion devices. As with our infrastructure, however, connecting all that equipment makes it a potential target for hackers. Unfortunately, medical devices, smart TVs, refrigerators, and thermostats do not have proper security protocols.
"Most people are still confused and think 'cyberattack' only means criminals steal your data or empty out your bank account," says Rodney Joffe, an early commercial Internet pioneer and now the senior vice president and technologist at cybersecurity company Neustar. "But the Internet of Things means there will be physical events. People will get hurt. Things will blow up," Joffe says.
Joffe is not keeping these concerns to himself. He has testified before Congress about the inherent vulnerabilities of 300 different connected medical devices and the dangers of smart and self-driving cars. (Hackers have successfully controlled cars remotely.)
"We did not implement security when we built the Internet. We now spend all our time trying to retrofit security, but it's an impossible task," Joffe tells Inc. "Nothing is secure. Nothing is safe."
Examples of vulnerable devices
If you think Joffe's comments are the ravings of a paranoid cybersecurity nerd, you're in denial about your DVR, cable modem, and smart refrigerator. Take a look at some examples:
- According to a 2014 Hewlett-Packard study, 70 percent of the most commonly used IoT devices were not secure. The report found that the thermostats, alarms, locks, TVs, and webcams connected through the cloud and smartphone applications were plagued by an average of 25 vulnerabilities, including unencrypted personal information, weak password security, and inadequate software protection.
- Recently there have been three reported hacks of Foscam's wireless baby monitor. Last year in Texas, a couple heard an adult's voice coming out of their sleeping baby's room. When they opened the door, the camera swiveled toward the door and a man's voice taunted the parents with obscenities.
- Many wireless medical devices run on old, stripped-down operating systems without security protocols. A few years ago, security researcher Jay Radcliffe discovered that a bestselling insulin pump was vulnerable to attack. A diabetic himself, Radcliffe breached his own device through its wireless communications system and was able to manipulate the amount of insulin injected into his body. No wonder Dick Cheney disabled his pacemaker's Wi-Fi.
The hackers' modus operandi
The security issues also can extend beyond individual devices. In January 2014, Proofpoint, a Sunnyvale, California-based security-as-a-service company, discovered a midsized cyberattack that involved smart appliances. The phishing attack, which sent more than 750,000 malicious emails, came from a network of 100,000 pieces of infected equipment, including routers, smart TVs, DVRs, and at least one smart refrigerator.
In those types of attacks, the smart devices send out only one or two malicious emails apiece. Criminals appear to be using this technique more frequently of late, which is more akin to guerrilla warfare than traditional cyberattacks aimed at one hijacked server.
Kevin Epstein, vice president of advanced security and governance of Proofpoint, says hackers are using Internet of Things devices for four reasons: The wireless devices are easy to breach; the devices are relatively powerful for their size; there are more of them than there are vulnerable computers and laptops; and a company cannot issue a patch through software updates.
"You can have more aggregate computing power with millions of Internet of Things devices than an infected supercomputer," Epstein says. "Internet of Things devices are useful to hackers. As more things become connected, attacks will range from a hacker taking pictures of Miss Teen USA on her webcam without her knowing to the significant attack on control systems of factories."
Another advantage for hackers is the difficulty individuals and businesses have keeping track of all their connected devices. How many wireless devices do you have at your company? With most businesses using smart equipment in the office and their employees using personal smartphones, a hacker could easily enter the network through a daisy chain of devices. Criminals could, for example, hack an employee's home refrigerator, then get into the employee's smartphone, and ultimately into the office's network.
"If you were to ask me how many IoT devices I have in my house, I'd have to think about it. My laptop, my TV, my stereo amp, my DVR, my phone, my Blu-ray player, my router. I can't count them all," Epstein says. "Even worse, if someone told me my smart TV is being used by an attacker, what do I do now?"
Now that we know of the threat, what do we do about it? Epstein says if you find out something has been breached, you need to get in touch with the company and ask if a firmware update exists for the specific vulnerability. "You're not going to be able to replace the firmware yourself. You'd have to get a whole new TV or refrigerator," he says.
Stopping these types of attacks from hundreds of thousands of infected smart devices is exceedingly difficult for companies to do."To stop an IoT attack, you need to look at big data information systems and look for patterns, like fighting terrorism," Epstein says. "Companies are now deploying ways to look at traffic at the granular level and looking for irregularities" like binary files that have been sent from home routers.
Joffe, meanwhile, says that the only real way to defend your company against IoT attacks is to stop spending all your time and money trying to prevent them.
"In most cases, it's already happened, just most companies don't realize it. You have to change your attitude as a business owner from one of [proactive] cybersecurity to one of risk management," he says. "You have to understand where your risks are and find ways to mitigate the risks by recognizing the failures as quickly as possible."