With the huge growth in mundane devices, everything from fridges to light bulbs, being connected and integrated with each other in the new ‘Internet of Things’ (IoT), the scope for hackers has grown right alongside with it. The new network has undoubtedly many useful conveniences in modern life; the ability to manage their own energy use, medical devices that allow doctors to monitor patients in real time from afar, and Smart cars able to display all sorts of useful information to drivers. However, there is a peculiar headache regarding such unprecedented connectivity, says a special report in The Economist.
The problem with such devices is the gulf in consequences if an attack does occur. If a PC or home computer is hit by a security attack, it’s generally an annoyance with no serious, long-lasting consequences.
However, if for example, a smart car’s system is attacked the result could be death for the drivers or passengers. Indeed, public demonstrations have been performed by security research companies whereby the system has been hacked and the car controlled remotely: from suddenly jerking the steering wheel to switching off the engine.
While currently the technology required for such is difficult to wield or requires direct access to the device in question technology moves fast and many believe it is only a matter of time until this type of activity is commonplace. Last year two researchers in Singapore showed off a car-hacking tool with a build cost of less than $25.
On the more ‘nuisance’ side of the spectrum this type of worrying mass infiltration of devices connected to the Internet of Things has already happened. In 2014 cyber-security firm Proofpoint found evidence of a group of compromised devices comprising such varied devices as home routers, televisions and refrigerators had been taken over and put to use sending out spam. It only take a tech-savvy arsonist to find a way of taking control of something like a boiler and turning it up to the point of explosion. Indeed many boilers, ventilation systems and heating systems have been found to contain simple vulnerabilities.
Unfortunately, it may not be a problem so easily solved. Many of the microprocessors and chips going in these newly Internet-ready devices are produced on wafer-thin margins and security is often one of the easiest things to omit to trim costs. Furthermore, the processing power of such chips pales in comparison to those found in home or work PCs and could not run many forms of anti-virus or other security measures simply due to lack of power.
The worrying thing is that it may take something catastrophic to get manufacturers to focus on the need for better security in this ever-more connected world. Hopefully, pressure from concerned consumers will be enough.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”