Every electronic device in your household
The 5 billion figure comes from Gartner, the world’s leading information technology research and advisory company, which says that more than 300 million cars and over 2,800 million consumer devices are already online. By 2020, the number of objects connected to the Internet of Things (IoT) is expected to top 25 billion – not an unrealistic estimate considering that many household appliances now come with rudimentary online functions.
“One of the things we’re constantly seeing is functionality absolutely being considered first, and security implications not being considered at all,” Ted Harrington, who is organizing an IoT “theme park” at DEF CON, a leading hacker conference in August, told tech site Informationweek.
At DEF CON, hackers will be encouraged to take control of baby monitors, fridges, garage doors, and security cameras. While it’s tempting to conjure up scenarios of doors being hacked by high-tech burglars, or vengeful exes exploding their former spouses’ coffee-makers, the dangers are likely more subtle – and pervasive.
“As we interact with our devices there’s this trail of digital exhaust that we leave behind. Once you combine this data and create very rich profiles of people,” Ken Westin, an analyst for security company TripWire, told Wired earlier this year.
Westin and other experts believe dangers will come from two sources – criminals, who can hack objects to understand target behavior, steal information, and commit financial crimes; and governments, who have a new set of devices with which to spy on people.
Alarmingly, a study conducted by HP last year shows that over 70 percent of IoT devices have vulnerabilities that can be exploited by hackers.
Last week Chrysler recalled 1.4 million Jeeps after a pair of notorious hackers went to the media with a demonstration in which they hijacked a moving car from a laptop hundreds of miles away.
“If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers. This might be the kind of software bug most likely to kill someone,” Charlie Miller and Chris Valasek told the terrified Wired journalist whose car they had sped up and slowed down until he begged them to stop.
Miller and Valasek say that the first successful car hacks date back to 2011, but that their own 2013 demonstration – which required them to sit in the carjacked vehicle – found no truck with automotive giants, who told them the hack was no different than simply cutting the brake lines manually.
Incensed, the two Americans went looking for more vulnerabilities, and have now shamed Chrysler into offering a USB stick with a fix to their customers – an offer that is likely to be taken up by only a small percentage of Chrysler car owners, with the rest continuing to hope they won’t become targets.
And the danger isn’t restricted to one brand.
“I don’t think there are qualitative differences in security between vehicles today,” Josh Corman from IoT security company I Am the Cavalry, said to Wired. “The Europeans are a little bit ahead. The Japanese are a little bit behind. But broadly writ, this is something everyone’s still getting their hands around.”
Belatedly, Congress has got in on the act, with a new bill touted last week that will call on regulators to introduce more stringent car security standards, and a ranking system that will pit manufacturers against each other.
Of course, with the driverless car revolution around the corner, the potential hazards will only multiply.
In one of the most flagrant hacking episodes, German newspapers reported that a group of digital infiltrators took control of a Patriot missile system stationed on Turkey’s border with Syria, and forced it to perform a series of “unexplained commands.” Germans officials later rebuffed the claims, saying it was “extremely unlikely” their missile systems could be compromised, but stopped short of issuing an outright denial.
“These systems are not linked to public networks, they require special codes to fire the missile, which only a certain number of people have, and you generally need the code from two or three people to fire it, or to do anything that is of significance,” reasoned UK-based hacker Robert Jonathan Schifreen, in an interview with RT. “I don’t think it’s actually happened, which is not to say that some of these systems are not hackable in some way.”
Unlike other – theoretical – scenarios, being able to hack enemy military equipment has obvious practical use. This ability could inflict damage worth billions, and is thus being pursued by all leading military powers.
“It’s about the security of our weapons systems themselves and everything that touches them. It’s a pervasive problem and I think we have to pay a lot more attention to it,” Defense Undersecretary Frank Kendall said earlier this year, after the Pentagon demanded $5.5 billion dollars for cybersecurity in next year’s budget.
As in other areas, the more advanced the equipment, the more susceptible it is to outside interference. Last month, Richard Stiennon, chief research analyst at IT-Harvest, told FCW, a US state tech procurement website, that the troubled F-35 joint strike fighter, which costs over $100 million per unit, has 9 million lines of code in its software, and 17 million more in all the software suites written to support its basic function. According to Stiennon, eradicating the vulnerabilities in all military code in all the weapons systems used by the US would cost “hundreds of billions of dollars.”
“If we ever go to war with a sophisticated adversary, or have a battle, they could pull out their cyber weapons and make us look pretty foolish,” said Steinnon, who believes that the problem has resulted from a lack of foresight and a reliance on supposedly proprietary tech on the part of the Pentagon.
“Many of the things that are in the field today were not developed and fielded with cybersecurity in mind. So the threat has sort of evolved over the time that they’ve been out there,” admitted Kendall.
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? 🙂
— Chris Roberts (@Sidragon1) April 15, 2015
That tweet, sent by security researcher Chris Roberts from a United Airlines flight departing from Denver to Chicago earlier this year marked a watershed in the wider awareness that planes could be hacked. Armed with a laptop and an Ethernet cable, he simply plugged into the electric box underneath a standard plane seat. He told the FBI he was able to find a way from the in-flight entertainment system to the vital commands that control the plane. To his prestige, Roberts said he was able to activate one of the engines, and forcibly veer an actual flying passenger plane off-course.
Security experts and Boeing later debunked his claims, saying that “While these [in-flight entertainment] systems receive plane position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions.” Ignominiously, Roberts was also banned from United flights, and stripped of the air miles he had accrued traversing the US with his hacking kit.
United have cancelled ALL my trips…and my daughters…and no refund on the Air Miles..goodbye 100,000 Miles so it seems…
— Chris Roberts (@Sidragon1) April 27, 2015
However, the dangers he flagged are all too real. The FAA warned Boeing of this very vulnerability in its Dreamliner design as far back as 2008, yet it still does not appear to have been entirely resolved.
“A virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines,” said a US Government Accountability Office report from April.
With planes still objects of extreme symbolic value in a post-9/11 world, this is one target that is almost sure to be tested by terrorists in the future, in one way or another. And this is before the ever increasing number of drones is added into the equation – a hard-to-evaluate batch of new risks, some of which have already been exploited by hackers.
Nuclear power facilities
Like weapons hacks, infrastructure infiltrations are the preserve not only of terrorists or criminals huddled in dank basements, but also of organizations with million-dollar budgets, headquartered in Maryland, Tel Aviv and Beijing. And unlike weapons hacks, infrastructure hacks don’t require an outright war to be employed.
While it is hard to imagine China and the US going to war, asymmetrical conflicts between “rogue states” and world superpowers remain plausible. The most famous public example remains Stuxnet, reportedly a US-Israeli piece of malware which was deployed to destroy nuclear centrifuges in Iran, and as later discovered in North Korea, albeit with far less success. It is difficult to imagine that this technology has not been surpassed since, or that many similar operations are not still ongoing. South Korea accused its northern neighbor of hacking into its nuclear plants as recently as last year, to loud denials from Pyongyang.
And technology that initially cost governments massive funds to develop often does eventually become available to less responsible groups, at a fraction of the cost.
“The disruption and possible infiltration of critical infrastructure is the most severe form of cyber-attack. Such attacks on airplanes or air traffic control towers, for instance, means that hackers could cause accidents, or even paralyze entire flight systems. As of now, this area of capabilities is the exclusive domain of developed states,” Gabi Siboni, director of the Cyber Security Program at the Institute for National Security Studies in Tel Aviv, told the Jerusalem Post in April.
“I strongly believe, however, that the next 9/11 will happen without suicide bombers aboard the plane with box-cutters, but will occur because of a cyber-incident perpetrated by a terror organization.”
Although there has not yet been a terrorist Chernobyl, in a survey of 35 states published by the Organization of American States, more than half of the security chiefs of critical infrastructure objects, such as power plants, airports, dams, said that there had been “attempts to manipulate” their equipment from the outside.
“This is going to be the year we suffer a catastrophe in the hemisphere, and when you will see kinetic response to a threat actor,” summed up Chief Cyber security Officer Tom Kellermann, for Trend Micro Inc., which compiled the report.