In 2013, former US vice president Dick Cheney’s doctors disabled his pacemaker’s wireless capabilities. This was to thwart any possible assassination attempts through online hacking.
Welcome to the darker side of the Internet of Things (IoT), a growing technological industry where shooting first and asking questions later is the norm.
The IoT will one day take significant control over our homes, transport, health etc. And despite the incredible access we now give to wifi-enabled devices, very little thought has gone into the potential security threats posed by all this interconnectedness.
Recently, the future of self-driving cars was thrown into doubt after a journalist and two hackers showed it was possible to remotely take control of a 2014 wifi-enabled Jeep Cherokee.
Senior writer at Wired magazine Andy Greenberg agreed to drive the Jeep on the highway in St Louis while experienced hackers Charlie Miller and Chris Valasek tested out their car-hacking skills remotely. The journalist reported the hackers, located 12 kilometres away, started by blasting cold air. Then the radio blared hip-hop at full volume. Next the windshield wipers turned on. They were only getting started. They cut his transmission, took control of the steering wheel and disabled his brakes.
Greenberg lived to tell the tale. But this and other scare stories have prompted two US senators to introduce legislation requiring the National Highway Traffic Safety Administration and the Federal Trade Commission to “establish federal standards to secure our cars and protect drivers’ privacy”. The SPY Car Act would also establish a “rating system” so that consumers could determine how well various cars do in terms of driver security and privacy.
The European Union has been ramping up efforts this year to improve its out-of-date data protection laws including the widely-anticipated General Data Protection Regulation (GDPR) and legislation requiring all new cars to have built-in emergency-call equipment by 2018. Critics of the motor legislation, however, say it doesn’t go far enough in terms of protecting driver’s privacy.
At least governments are beginning to take IoT security more seriously, even if some service providers aren’t. Not only that but there are also plenty of entrepreneurs out there offering solutions of their own.
“It’s a huge area in business right now,” explains Lance Hayden, managing director for Technology Advisory Practice at the Berkeley Research Group in Texas. “The security industry is going nuts. Everyone is saying they’ve got the secret to IoT security.”
Frankenstein’s cyber creation
Does it differ from regular cybersecurity, the kind treated by McAfee, Symantec and Norton? Well yes and no. On the one hand it’s not that different as IoT isn’t built upon anything new. The same principles, and in many cases technologies, apply.
On the other hand the scale of digital interconnectedness is unlike anything ever seen before. All of a sudden numerous devices are being plugged into a whole network of online service providers, often running in a way that has less and less direct human involvement.
So it may leave us open to increased cybercrime. The media has begun asking a lot of questions. “Frankenstein is still a classic novel: the idea of our creations coming back to bite us,” says Hayden. “That these things are everywhere, and they may even be inside us, is pretty terrifying.”
Hacking baby monitors
Many people are unaware of just how many connected devices they have in their homes. “I used to have two computers – laptop and a phone – but now I have about 20 around my home,” explains Einaras Gravrock, CEO of CUJO, which offers IoT security protection for people’s homes. “How safe are they? How are they built? More often than not wifi-enabled devices – from lightbulbs to thermostats – are not necessarily built with security in mind.
“Because devices are now touching very important aspects of our lives, the damage that can be done is pretty serious,” he adds. “There have been reports of baby monitors being hacked so that intruders can monitor people’s homes and know when they’re away.”
Playing down the threat?
Not everyone is convinced. “The same thing that makes the IoT a really powerful tool can also make it a very big risk if you don’t take a lot of care with the data,” explains Josh Siegel, from the Department of Mechanical Engineering at MIT. “There’s a two-fronted risk here: either a person’s data is leaked, or data is shared that wasn’t meant to be.
“They are both potential problems. Still, most of the risk in IoT has been played up by the media. Things are not perfect, but they’re nowhere near what some reports would have you believe.” Siegel is involved in a vehicle connectivity start-up. “My research at MIT was based on building an open-source connected car platform called CarKnow,” he says. “We connect cars to the internet to improve efficiency, reliability and user experience.”
With an IoT start-up of his own, it’s not surprising that Siegel might play down the threat posed from security breaches. However, other commentators would tend to agree.
“The security or otherwise of someone’s home is ultimately their responsibility,” says Prof Bashar Nuseibah from LERO, the Irish Software Research Centre at the University of Limerick.
“We must acknowledge that the way technology is taken up and used is very much up to human beings and not the other way around. Security threats are more likely to be caused by our behaviour and misbehaviour, and not necessarily just by criminals but also by people who are not very well informed.”
That said, Nuseibah does acknowledge we’re entering a world where the scale of interconnectedness is going to demand some state involvement. “Classic security, for malware protection or anything else, is very often considered an ‘extra’,” he says. “As IoT devices increase connectivity we’ll need some interventions in terms of regulation.”
“There is some scaremongering going on because it’s new,” says Hayden. “One of the most dangerous things you can do is get behind an automobile. Tonnes of people die every year doing it. But we don’t freak out.
“One of the best marketing approaches out there goes by the acronym, FUD. This refers to fear, uncertainty and doubt. It’s a great marketing pitch till people realise you’re scaremongering. Those most afraid of IoT are those closest to the subject, the security guys themselves. Digital society is still cracking along every day, getting bigger and bigger. But Armageddon hasn’t happened yet.”
The whole internet enchilada
Similar to the explosion of apps soon after the launch of the first Apple iPhone, some commentators are now predicting the development of 50 billion different IoT devices over the next few decades. “That’s basically the Internet of Everything,” says Hayden. “When you start talking about security in the Internet of Everything, you’re actually talking about the security of everything.
“This might sound scary,” he adds. “But at that point it will bring the issue to a level akin to other major societal problems – war, crime, disease, etc. And society will have to treat it as a crucial challenge that must be faced and overcome.”