'Internet of Things' a risk-reward proposition for security professionals
We live in a highly connected world. It is rare to walk down the street, sit in any form of public transportation or be in the airport and not see someone who is engrossed with their smartphone or tablet. These devices all contain not only a multitude of data-producing sensors, but also a variety of software applications that may require Internet connectivity. Applications on these devices help us to find the weather forecast, conduct banking and stock transactions, track our airline flight status, read news feeds, listen to radio and even pay for our coffee.
And it is not just smartphones that are connected to the Internet. Momentum has been increasing to connect more and more devices of every type to the Internet, resulting in an Internet of Things (IoT), a term coined by Kevin Ashton in 2009. This concept was originally meant to encompass a method by which data could be gathered automatically (at the time by RFID, or radio frequency identification tags) and used primarily for inventory purposes. ABI Research predicts that by 2020, there could be 30 billion devices wirelessly connected to the Internet. Cisco has indicated that this number might be closer to 50 billion in the same time frame.
Connected objects include vehicles, household appliances, industrial equipment, medical devices, remote sensors in the environment, smart electric meters and a wide variety of wearable devices. Of course, each Internet-connected object may have more (often many more) than one embedded sensor. At the Trillion Sensors Summit, hosted by Stanford University in October 2013, it was predicted that there could be over a trillion sensors in operation by 2023.
Increased Internet connectivity comes at a price that often entails a greatly increased risk to security due to the amount of data produced by these sensors and the potential for sharing these data widely. There are also questions about who owns the data that are generated, where and how the information that is created is transferred and stored, and what level of security is required to maintain privacy.
As one early example of the problems inherent with connected technology, the U.S. State Department first began to issue biometric passports in August 2007. These documents contained an RFID chip which, it was quickly discovered, could be read from 30 feet away by devices that could be purchased on eBay. Shortly thereafter the problem was acknowledged and passports were reconfigured to incorporate aluminum mesh in their covers to block such reading, although a State Department official has stated that the safest way to prevent reading is to place the passport in a radio-opaque attenuation sleeve. Even with this level of protection, however, the RFID chip is still readable when the cover is opened at any time for inspection.
RFID vulnerability is only the tip of the iceberg. We are still at the beginning of the IoT revolution when only a relatively few individual devices may have sensors. The true value, and concomitant increased risk, will begin to accrue when the IoT objects themselves can begin to take action based upon a user’s desire. For example, it is now easily possible to adjust your home’s heating and cooling system manually using your smartphone, tablet or computer. In the future, a home automation system may be able adjust the temperature based upon the owner’s proximity. When the house is unoccupied in the summer, the temperature may be allowed to rise, thereby saving power. When the homeowner is detected leaving work, the air conditioning system might switch on so that the home is cooled to the preferred temperature by the time their car pulls into the driveway. But what would happen if a malevolent attacker, either an individual hacker or a cyberattack by a rogue state, should disable or corrupt the home’s temperature controls making it impossible to cool in the summer or heat in the winter? And what would happen if that attack affected an entire region?
When refrigerators become connected, the data collected about specific food purchases could lead to conclusions about one’s ethnic or religious status, and whether there are health problems. Although temperature data gleaned from the refrigerator are likely to be innocuous, information collected from medical sensors could be more problematic, especially if combined with other information. What if your refrigerator-ordering application showed increased purchases of ice cream that was associated with a rise in your blood sugar or body weight detected by your implanted medical sensors? On one hand, you (and your physician) could be warned that you need to adjust your diet in order to remain healthy. On the other hand, your insurance company might also be notified and raise your payment due to the increased risk to your health.
It is also possible that your refrigerator or other Internet-connected device might already incorporate sensors that are not currently active, such as a microphone or webcam. What if a hacker could enable those remotely to determine if you are home or even to listen in on your conversations? Far from being a theoretical possibility, officials of the Lower Merion (Pennsylvania) School District admitted in 2010 that they activated the webcams on student laptops and covertly took photographs of children both at school and at home, ostensibly to investigate possible drug use. In 2013, a blogger revealed a security flaw that permitted anyone to monitor certain Internet-connected cameras at will. The Federal Trade Commission subsequently ordered the company that produced them, TRENDnet, to improve the security of its cameras, warn all customers of the existence of the vulnerability and provide guidance about how to fix it. These are not unique examples. Using Google, it is possible to locate many unsecured cameras around the world and a search engine called Shodan was specifically designed to look for Internet-connected devices of all types.
The ability for hackers to be able to access “smart” devices has recently been shown to be an actual, and not merely theoretical, threat. In January 2014, Proofpoint, a security service provider, reported a phishing and spam email cyberattack that involved approximately 750,000 malicious emails being sent from over 100,000 household appliances that included televisions, home network routers, media centers and at least one refrigerator. An attack of this nature would be very hard to block since no more than 10 emails were sent from any one device. As more of these devices become connected to the Internet, the problem may only grow worse unless appropriate security measures are implemented.
In many cases, wearable devices automatically connect to the Internet and have limited, if any, security. Without such security measures, it is possible a hacker might be able to tap into the audio and visual data streams from Google Glass and monitor all the wearer’s activities. It could even be possible to maliciously access a patient’s automated drug dispenser, which under normal circumstances is designed to release medication based on a body sensor that detects a specific condition, and dispense a harmful dose of medication. In 2012, the late Barnaby Jack, a researcher with McAfee, Inc., demonstrated how he could exploit the security vulnerability in an insulin pump from up to 300 feet away and force it to dispense what would be a fatal dose of insulin. He showed that essentially any device with a wireless connection could be vulnerable to hacking. This includes pacemakers and similar devices. In an October 2013 interview on “60 Minutes,” former Vice President Dick Cheney stated that his physician had ordered the wireless capability of his heart implant disabled due to the possibility that it could be vulnerable to a hacking assassination attempt.
While hacking a refrigerator could violate privacy, having the ability to exploit a security weakness in an Internet-connected door lock could mean that thousands of homes would become vulnerable to burglary. Even without overtly compromising an Internet-connected device in the home, simply analyzing network traffic patterns might provide useful information about whether the residence is occupied or not. Similarly, smart electric meters by their very nature gather copious amount of data on energy use. If that information is stolen, it would reveal an enormous amount of information about household activities such as when a consumer does their cooking, runs their washing machine or dryer, goes to bed or gets up in the morning. The FBI in 2010 also warned that smart grid electric meters can, with easily available equipment, be noninvasively altered to show no electricity consumption.
But sensors are only one element in the Internet of Things. The other major category of device is the controller. Controllers are devices like switches, valves and actuators that perform specific actions such as adjusting settings in equipment for variables like speed, temperature or pressure or turning ventilation fans on or off . It would appear to be the height of folly to place controllers without security on the Internet due to the possibility of hackers attempting to exploit security vulnerabilities. Indeed, in December 2012 a Chinese hacking group was caught attempting to infiltrate a decoy (known as a honeypot) U.S. water control system that was developed as a research project. Evidence showed that a dozen honeypots spread in eight countries were subject to 74 intentional attacks, some of which succeeded in being able to take control of the dummy system. Most attacks emanated from Russia and China. The investigator, Kyle Wilhoit, of the company Trend Micro, concluded that many systems in utilities across the world can be easily taken control of by attackers and that it is likely that the facility engineers are unaware of what has occurred.
In October 2012, former Defense Secretary Leon Panetta warned of a possible “cyber-Pearl Harbor” that could devastate the U.S. power grid, and financial and transportation systems. As evidence that possibility was real, Cisco beginning in May of last year detected a number of indirect attacks on energy and oil companies.
Nonetheless, it is also clear that any sort of potential security breach must be appropriately investigated to determine the true cause. For example, in November 2011 there was a widely circulated report that Russian hackers had remotely destroyed a water pump at Curran-Gardner Township Public Water District, located west of Springfield Illinois. However, about a week later, the Department of Homeland Security stated that the supposed hack never occurred and the water pump had simply burned out. In contrast, in 2007 the Department of Energy, in an experiment termed the “Aurora Generator Test” showed that it was possible to hack into a power plant control system and completely disable a large (1 megawatt) diesel electric generator to which it was connected. While that specific vulnerability was said to have been addressed, it is by no means certain that other similar exploits are not possible.
Not everything has the potential for harm, of course. Bridges, dams, buildings, pipelines and planes can be continuously monitored for structural integrity by appropriately placed sensors. Roads will be filled with sensors so that so that driverless cars can become a reality. Homes will be sensor-enabled so that energy consumption can be minimized. Smart textiles will monitor your health and measure your fitness and activity level. Washing machines might communicate with a smart electric meter and begin to wash their load only when the electric rates are at their lowest.
The term “smart” might even be applied to cities. When Christchurch, New Zealand was severely damaged by a series of earthquakes in 2011 a decision was made to make it a “sensing city” and incorporate a network of digital sensors into the newly rebuilt infrastructure (roads, buildings, utilities, etc.) that could generate real time data. These data will be used for traffic applications, disaster management and business decisions. It was decided that these data would be available to both the city government and the public with no limitations and that, for privacy reasons, individuals would not be tracked. The goals of the data collection were to be to create new services for the public and also to stimulate the growth of a data industry in New Zealand. The first project, in collaboration with the MIT Little Devices Lab, is designed to measure water quality using the efforts of members of the public who assemble monitoring kits that measure water quality by color changes in a paper sensor kit. A smartphone app is then used to upload a picture of the test and the GPS position to a central server that aggregates all of the data and creates a real-time map.
The Internet of Things is still in its infancy, but its adoption is likely to accelerate with the recent acquisition by Google of Nest, a company that currently produces network-enabled thermostats and smoke detectors, for $3.2 billion. The company has as its goal the implementation of the ‘conscious home’ that would be completely automated.
Devices with sensors are still a minuscule portion of the existing base of potential objects that could be connected. In addition, the data that such sensors produce are fragmented and usually limited to the manufacturer of the device. As these devices and data become more widely available, however, the ability of both legitimate companies and criminals to access personal information about the life of an individual expands exponentially.
If implemented correctly, the Internet of Things can change the world in a positive fashion even more than we can imagine by making us safer and healthier, reducing waste, saving money, and improving our environment. An abundance of sensors located virtually everywhere is not only a challenge but provides the opportunity for management of traffic flow, crime and threat tracking. Security standards need to be established and enforced at the design and manufacturing levels. As the IoT evolves, we can also expect that society will not only adapt to its usefulness but come to expect that appropriate safeguards be implemented to ensure both privacy and security. Since, however, there is no central authority to assure compliance, the security professional must be a strong advocate to make sure that the “things” and the data that they produce are both secure and not subject to interference or tampering in order to gain these benefits.
About the Author: Dr. Steven Hausman is president of Hausman Technology Keynotes (www.HausmanTech.com). He speaks professionally and conducts briefings on a wide array of topics related to technology, science and security that include nanotechnology, robotics, 3D printing, bionics (artificial limbs and organs) and radio frequency identification (RFID). He can be contacted via his website or his LinkedIn profile at http://www.linkedin.com/in/stevenhausman.