Not long ago, if you went around saying that your TV was spying on you, most people might question your grip on reality. But what sounded like a conspiracy theory yesterday has become a reality for many. Sci-fi programming you might see on TV might be a harbinger of what’s to come with technology. In February, Vizio was fined $2.2 million for gathering consumer data without their consent. And earlier this month, WikiLeaks released secret documents indicating that CIA had hacked Samsung smart TVs to transform them into covert microphones.
At the IWCE conference in Las Vegas, Curtis Levinson, United States cyber defense advisor to NATO, explained that the vast majority of Internet of Things devices sitting on the public internet are vulnerable to an array of cyber-exploits. And many of those “things” can be weaponized. Smartphones can transform into full-color, full-motion bugging devices. Self-driving cars could be programmed to crash. The electrical grid could be knocked offline. There’s seemingly no limit to the possibilities. “My general rule is: If I can think of it, somebody else is already doing it,” Levinson said.
What was most eye-opening about Levinson’s talk, however, was his conclusion: “Unless we protect our 'things,' we are going to get to the Planet of the Apes,” he surmised. Technological vendors are deploying IoT technology exponentially faster than they are protecting it.
Cybersecurity experts are trained to think in terms of worst-case scenarios and, in his talk, Levinson easily rattled off an array of examples of IoT security vulnerabilities.
Take self-driving cars, for instance. “You wouldn’t get me into a self-driving car on a bet,” Levinson said. “I know how easy it is to hack those things, so it starts veering off course. It is connected to the internet, and the current realm of self-driving cars are not firewalled.”
Connected cars that lack autonomous functionality have long been at risk as well. Levinson stated that Mischel Kwon, the former director of the United States Computer Emergency Readiness Team (US-CERT), investigated automotive cybersecurity over a decade ago and gained remote access to cars at a nearby dealership. “She did this with the dealer’s full permission—because he didn’t believe it was possible—she started the motor of eight cars, unlocked them, rolled down the windows and even changed the radio stations. She got her master’s, but it was pretty shocking,” Levinson recalled.
Ultimately, any type of connected vehicle is at risk. The Las Vegas monorail is driverless and is, therefore, hackable. “It’s kind of frightening if you bump one train into another or all of the sudden reverse [them]. Very difficult to protect,” he said.
Municipal infrastructure is one of the gravest threats. “Water treatment plants are highly automated. Their industrial control systems sit on IP addresses on the public internet and they are not firewalled and very often not protected,” Levinson said. A hacker looking to do harm to a city would only need to, say, turn off the water, change the water distribution pattern, or modify the water pressure. “Heaven forbid, they could do something like allow bacteria into the water and then distribute it,” Levinson stated.
“I agree that a lot of bad things can happen to our infrastructure,” says Chris Kocher, co-founder and managing director of Grey Heron, who also spoke at IWCE. But Kocher prefers to envision specific risk scenarios. “I think there are some major things that could be pretty detrimental like controlling a dam to reduce massive amounts of water and creating floods, destroying an energy plant (gas, coal, or other) that creates huge explosions and the loss of power or water to thousands of people for months or years while rebuilding.”
Ultimately, the notion of rampant cyberwarfare resurrects concepts from nuclear policies developed during the Cold War. “Concepts of commensurate response come into effect (a tit for tat approach where you take one of mine, I’ll take one of yours),” Kocher explains. “But if you just destroy a power plant, I don’t destroy an entire city as that would not be commensurate.”
Another concept, Mutual Assured Destruction (MAD) is also at play here. “I think this prevents the Planet of the Apes scenario,” Kocher says. “If all sides have the ability through cyber or military means to wipe out or severely retaliate against an opponent, than no one wants to take the first step because they know the other side may completely destroy them in a mutual assured destruction scenario.” The challenge, of course, is that the Cold War strategies and understandings in effect between a limited number of superpowers in the past may no longer be relevant if rogue states or non-state actors become active, Kocher explains. This becomes even more complex as it is often difficult or impossible to definitively know where a cyber attack originated.
While any IoT has potential vulnerabilities, the risk levels vary widely. “Some IoT devices are pretty locked down with HW security, encryption, firewalls etc. Doesn’t mean it is impossible to hack them but could be very hard,” explains Kocher. “Unfortunately some are ridiculously simple as they come with default passwords and many people don’t reset them.”
The fact that many IP cameras, routers, and DVRs on the market use default passwords is part of what enabled last October’s crippling Mirai botnet. “Apparently on some of those cameras, there was not even any security,” Kocher explains. “As security experts always point out, the challenge with IoT, like any system, is that they are only as strong as the weakest link.”
With cyberwarfare becoming fodder for prime-time news, science fiction plots can sometimes serve as a harbinger of things to come. After all, sci-fi authors have been warning of the post-apocalyptic possibilities of technology escaping the control of its owners for decades. The Internet of Things expands this potential reality.
In the near term, it is clear that IoT security is facing something of a perfect storm. As Kocher explains: “First, there are more devices available to be hacked; second, many are not locked up in a back office or data center but out there in people’s homes, cars, appliances and on their bodies in wearables; third, the data in some cases is extremely valuable and personal; fourth, everything is connected, as that is by definition what IoT assumes, which means if I can get in somewhere I can start accessing all kinds of remote systems; and finally, many of the devices have very low security barriers creating many weak links in the IoT security chain.”