Watch out in a world of connected objects, cyber specialists warn

A major wave of cyberattacks hits dozens of countries around the world earlier this month
A major wave of cyberattacks hits dozens of countries around the world earlier this month

The massive global cyber attack that wreaked havoc in computer systems earlier this month caused plenty of visible disruption, not least in Britain's National Health Service.

But in the brave new inter-connected world heralded by the internet of things (IoT), so-called "ransomware" attacks could have as their source something quite mundane and yet present in ever more modern households.

In a not so far-off future, the source of a software glitch with serious consequences for the simple consumer could be anything from a connected coffee machine or refrigerator to a techie toy or an outsmart-you television.

Web-connected gadgets are becoming all the rage with tech-aware professionals.

But the mere idea that it only needs a hacker to give the software a malevolent tweak to send them on the blink with disastrous consequences may yet threaten the development of such goods' popular take-up.

"Regarding last weekend's attack there is no risk for connected objects. That in particular hit systems running Windows ...and today there are no mass market gadgets with Windows loaded in order to function," says Gerome Billois, a consultant with Wavestone.

"In contrast, there have already been massive attacks on connected objects," Billois told AFP.

The Mirai malware strain made from hacked IoT devices including badly secured routers and internet connected cameras recently infected hundreds of thousands of poorly secured connected objects.

A ransomware demand after one's computer or other connected object has been hacked might look like this
A ransomware demand after one's computer or other connected object has been hacked might look like this

The idea was not to stop them from working but to transform them into zombies or botnets with a view to using them as relay stations for future cyber attacks.

Last week at a timely cyber security conference in The Netherlands, American wunderkind Reuben Paul, just 11, stunned an audience of security experts by hacking into a teddy bear via bluetooth to show how interconnected smart toys "can be weaponised".

His prowess showed just how easy it is for tech savvy individuals to use everyday objects to harvest data or use them as spy holes for covert surveillance.

According to documents released in March by Wikileaks, US intelligence can hack smartphones, computers and smart, web-connected TVs, to pilot them and eavesdrop.

"All the other connected objects can be pirated, that has been shown, be it a coffee machine, a refrigerator, a thermostat, electronic entry systems, the lighting system...," warns Loic Guezo, a analyst for southern Europe with Japanese security software company Trend Micro.

Mikko Hypponen, head of research at Finnish security specialists F-Secure, has for his part come up with his eponymous Hypponen's Law.

This states that "once a device is described as 'intelligent', you can consider it as vulnerable."

Are your links to the web safe?
Are your links to the web safe?

Neglected security

The future might well spell connected cars—but they too are subject to potential remote hacking, the consequences of which barely need stating.

When hackers lurking with their laptops have finished conjuring what havoc they might wreak on distant roads there are plenty of other things to which they could turn their attention.

These include vases which tell you when they need fresh water, insulin pumps—or how about sex toys?

So, the worried tech consumer may be asking him or herself—can a cyber hacker deprive me of my morning slug of caffeine?

Or maybe keep my thermostat blocked at 10 Celsius (50 Fahrenheit) —a chilling thought—or even take over my GPS if I don't hand over a ransom?

Theoretically, yes, specialists tell AFP.

"The logic of a cybercriminal is to make money," says Wavestone's Billois. Such an individual will not feel the need to make do with small-scale attacks.

The internet of things can connect our homes, our coffee machines, our fridges, all kinds of appliances, to the outside world—wh
The internet of things can connect our homes, our coffee machines, our fridges, all kinds of appliances, to the outside world—where a hacker might be lurking

Connected TVs, having rapidly become widespread, are an ideal portal for making ransom demands.

"Tomorrow, one can imagine devices which attack your connected house, bringing it under control, and then you get sent a message by another channel," muses Guezo.

All that would required would be to perfect the sort of virus one can find on offer within the murky confines of the "darknet", off the beaten track for day to day netizens.

Cyber security specialists are very much aware of the need to keep working on solutions offering protection as more and more homes go "smart" and "connected" with various boxes as add-ons to their usual routers.

The specialists' plan is to work with the makers of connected goods in order to incorporate a security interface right from the start, thereby offering what the profession calls "security by design".

Some experts feel that, in the rush to bring fascinating and cutting edge technologies into the home, the need for commensurate has been rather left behind.

"It is extremely difficult to calculate the solidity of a connected object in terms of cybersecurity," Billois regrets.

"As a consumer it is today impossible to know if you are buying a secure connected object or not," he adds.

"There's no label such as a made in Europe kind of tag guaranteeing an object won't catch fire, or won't pose a risk to children."


Explore further

Cyber kid stuns experts showing toys can be 'weapons'

© 2017 AFP

Citation: Watch out in a world of connected objects, cyber specialists warn (2017, May 21) retrieved 23 July 2019 from https://phys.org/news/2017-05-world-cyber-specialists.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
189 shares

Feedback to editors

User comments

May 21, 2017
I like that law, smart is hackable. For AI it especially applies.. For any AI system, output is by definition based on input, so bad inputs create bad behaviors. In traditional software, bad inputs are called 'hacking', in brain like AI's, they are called 'political journalism'.

May 21, 2017
There is nothing new in IoT that people haven't already been doing for decades in SCADA systems. The one and only difference is that for some stupid reason the marketeers thought it would be okay to put this stuff directly on the Internet without any encryption or authentication embedded in the applications. Thus the name: The Internet of Things.

This was no ordinary screw-up. This was one of the most moronic, preventable disasters in technological history. Now we're stuck putting band-aids on a sucking chest wound of a problem. The only way to fix this is to get the Internet of Things off of the Internet. Ironic, isn't it?

May 21, 2017
don't want your private crap exposed?

don't put your private crap on the public net.

May 21, 2017
So no device containing any of your private information ever has an Internet connection? You never provide private information to an app or website even when you're assured it will remain confidential?

Shootist:
don't


May 21, 2017
Yes, smart is hackable and regulations should recognize that fact to help protect us from its practical consequences.

But in AI, "bad inputs create bad behaviors" is true only when the AI doesn't sufficiently account for bad inputs. Any adequately implemented AI does validate input for "bad input" to protect from responding with "bad behaviors". Like any software, indeed like any known intelligence, that validation's success can be intractable with any sufficiently complex processing of any sufficiently large range of input values. So it's not as simple as either "GIGO" or "smart can be 100% safe".

luke_w_bradley:
I like


May 21, 2017
Decades of SCADA systems rarely dealt with the complexity of so many devices monitored or controlled by the supervisory system. They rarely dealt with devices under any control of any party not the party operating the supervisory system. They rarely provided so much functionality, and so rarely required the system complexity that delivers such functionality. They also rarely included any components, hardware or software, that weren't developed by the same org that developed the rest of the SCADA system, or weren't at least developed in explicitly coordinated development projects even across orgs. None of those differences necessarily are the other difference, "Internet connected".

It's also not simply the fault of the usually blameworthy marketeers. The insecurity of IOT devices is typically the fault of other executives ignoring the risks of insecurity to cut costs or speed competition. Marketeers prefer credibly claiming their products are safe.

ab3a:
There is nothing


May 21, 2017
It's not clear which screw up you're referring to.

The WannaCry attacks were possibly preventable by giving Microsoft more incentive to force upgrades after a vulnerability is known to it. They were possibly preventable if the NSA supported the Pentagon's stated mission of protecting the US and its interests by working to close vulnerabilities it discovers rather than undermining that mission by exploiting them (and leaking them).

The Mirai attacks were not so easily preventable, because so many of the IOT devices cracked to run the attacks were shipped globally from corporations in countries where regulations and even economics leaves them unaccountable for their own insecurity, but leaves them more profitable just for putting lots of cheap devices around the world. Import regulations could require meeting product safety standards, which would reduce the risk and consequent damage.

Better regulation would make IOT much safer, while keeping Internet.

ab3a:
This was

May 21, 2017
Authentication and encryption are a reality in SCADA. I know. I have been active on the standards committees that pioneered this stuff long before IoT was a thing.

I have decades of experience designing, integrating, and maintaining SCADA systems. The only difference is a matter of scale. There is an order of magnitude less complexity in most IoT applications than in a distribution SCADA, so it is practical to scale up IoT to far more nodes than a typical SCADA system. There are more supervisory controls, and data summarization in a SCADA system than in an embedded IoT device.

Think of IoT as a very large bunch of really elementary SCADA nodes that operate almost entirely in real time.

But as for regulation: Do you trust lawyers to do engineering? NO? I can't imagine why.

May 21, 2017
Well, I have nearly a decade working in what we now call IOT, after decades of other SW and networking development experience. I've studied traditional SCADA systems for my own work. The complexity of IOT is not in the embedded IOT device, but rather in the distributed network. There might or might not be as many supervisory controls in an IOT network as in a SCADA system, but there is typically much more complexity. That is what I am talking about.

I don't trust lawyers to do engineering. Neither do I trust engineers to legislate. I do know that when they *don't* work together we get the vacuum of good regulation that allows the status quo of Internet insecurity to wreak havoc. I also know that SCADA systems operated more securely under good legislative regimes developed by engineers and lawyers working together.

ab3a:
Authentication


May 21, 2017
The reason why I rant about lawyers doing engineering is because there aren't sufficient standards or the social lines of responsibility yet. The big missing piece is key management. It is a work in progress.

Imagine Ralph Nader foaming at the mouth about "Unsafe at any Speed" when three point seatbelts, crumple zones, and airbags had not yet been invented. That's where we are today with security. The traditional IT models of nodes of ultimate trust that validate signatures is not viable for the control systems that support communications with those very servers. So there has to be a distributed alternative.

Generally, IoT has one thing going for it: It has high nuisance value when it's hacked, but as long as it stays out of critical infrastructure, it isn't likely to do much damage. The IIoT meme is a recipe for disaster. It really should have been named Industrial device Internet of Things, or IdIoT.

May 22, 2017
Nader was an attorney. If his book hadn't been so widely accepted by Americans as a wake up call, we might not have gotten those inventions, or at least not until after many more people had been killed/maimed without them. He rightly gets credit for enabling laws including the Consumer Product Safety Act and the National Traffic and Motor Vehicle Safety Act (and the Whistleblower Protection Act, the Freedom of Information Act and other big ones).

Lawyers don't do engineering. Good regulation requires good lawyers and political leaders, as well as good domain experts like engineers. Engineers are necessary, but not sufficient, to good network security.

IOT has a lot going for it, in efficiency and convenience. More to the point we've got it and we're going to get only more of it, lots more. So rather than pine for horses and buggies, we need to get engineers to work with lawyers to protect it, and us from it.

ab3a:
The reason

May 22, 2017
Better regulation would make IOT much safer, while keeping Internet.

I don't think any kind of regulation would help.

IoT: Non-updatable, unsecured devices that use unencrypted data protocols manufactured to be "cheap, cheap, cheap".

What could possibly go wrong?

Seriously, even if such devices were produced to some standard that'd be deemed 'secure' at delivery - that doesn't hold forever. New attack vectors are discovered on a daily basis. Unless these can be patched in a timely manner there's no way to make an IoT even semi-safe. (And I see no way to have IoT devices patchable but still cheap enough to make sense...even after someone figures out a sensible use for them in the first place - which so far no one has)

May 22, 2017
This was no ordinary screw-up. This was one of the most moronic, preventable disasters in technological history. Now we're stuck putting band-aids on a sucking chest wound of a problem. The only way to fix this is to get the Internet of Things off of the Internet. Ironic, isn't it?
So apparently the system had fundamental limitations which prevented the kind of scalability necessary for the IoT. So the only way to prompt the development of a more suitable system was to expose the old one to enemy attack.

This is done all the time with weapons systems, the more obvious one being when the US put all it's battleships in a harbor in the middle of the Pacific as an irresistible target for carrier-based aircraft attack.

Tellingly, it's carriers were all out to sea.

This was the only way to demonstrate to aging admirals and politicians the obsolescence of their lovely battleships.
Cont>

May 22, 2017
IoT is inevitable and so we will have one that we can depend on, one way or another, irregardless of aging posters here who think its impossible because they just cant imagine how it could be done.

Admiral Leahy had the same conceptual limitations re big explosions.

May 22, 2017
Regulation with reasonably adequate enforcement resources would certainly help. Import regulations prohibiting products failing to meet safety regulations would gut the worst deployments, radically lowering risk. Safety regulations requiring at least confidential code sharing and reviews with regulators, mandatory code reviews by certified security experts, perhaps even insurance requirements (causing further code reviews) all could follow the well established auto industry precedents and resulting safety improvements.

antialias_physorg:
I don't

May 22, 2017
As for patchable, Google's Android Things (née "Brillo") OS is explicitly designed to make IOT devices patchable. It's free (as all Android), lightweight (no UI), already runs on $5 devices (like Raspberry Pi and smaller), and uses the same extremely scalable infrastructure that keeps literally billions of mobile devices updated. The same embeddable OS target for the huge existing Android developer community to make apps to make it popular.

But as with Android phones, only those HW manufacturers (including Google's own brands) invested in security keep them updated and safe. Which is where the regulatory infrastructure comes in.

The IOT insecurity problem is just beginning to cost big players more than IOT is worth. The tech and human solution components are arriving hot on the problem's heels.

EmceeSquared:
Regulation


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more