Sign in with
Sign up | Sign in

How the Internet of Things Could Kill You

By - Source: Tom's Guide US | B 5 comments

The hyper-connected world of the "Internet of Things," may be convenient, efficient and cool, but it has a scary underside: An attack on connected devices is often an attack on the victim's physical space and being, and unlike regular hacking attacks could result in injury or death.

The Internet of Things (IoT) refers to the networked embedded devices and common household or everyday items, most of which have not traditionally been connected to the Internet. Examples include smart electric meters, driverless cars, refrigerators that send alerts when the milk runs out, bathroom scales that monitor weight gain and thermostats that track the homeowner's commute to determine when the heat should go on.

ABI Research, a New York-based market-research firm, estimates there are more than 10 billion wirelessly connected devices in use, and that there will be more than 30 billion by 2020.

MORE: 12 Things You Didn't Know Could Be Hacked

All this home, personal and vehicular automation sounds exciting, science-fiction-like and efficient. It can also be terrifying, since the consequences of something going wrong with connected devices could be deadly. Hackers targeting connected devices won't just have access to personal information; they might also be able to take control of the physical world.

"The threats now involve safety, water, shelter and warmth," said Trey Ford, global security strategist at Boston-based security firm Rapid7. "As the user, you are no longer in charge. The computer is making the decisions."

Hacked cars, alarm systems and pacemakers

The physical aspect of IoT vulnerabilities became evident at last year's DEF CON hacker conference, where security researchers Charlie Miller and Chris Valasek showed how they hacked into the onboard computers on a Toyota Prius and a Ford Escape to take over the vehicles' steering and braking systems. They were able to jerk the vehicles' steering wheels, slam on the brakes and even disable the brakes altogether, regardless of what the driver tried to do.

Over the past two decades, computer users have gotten better about protecting themselves against attacks. They've learned to use strong passwords, run antivirus software and update their operating systems. Computer-based attacks have been confined to the digital world, and the worst consequences involve lost data or lost money.

But in the Internet of Things, attacks can have a physical impact, because the targeted systems control the physical realm.

In a manufacturing plant, for instance, switches could be turned on and off until equipment broke down or caught fire. A burglar could hack into a home alarm system's Web interface to use the security cameras to monitor the property, then turn off the alarm and unlock doors once the residents left the house. Or someone could break into your home, because Internet-connected garage doors can't tell when a request is coming from the actual homeowner or someone planning a home invasion.

Even without breaking into the premises, an attacker could turn off the gas, lock doors, flip the lights, and just "terrorize you in your own home," Ford said.

These scenarios are not just idle speculation. Earlier this year, IOActive researcher Mike Davis found multiple vulnerabilities in Belkin WeMo Home Automation devices that could let attackers perform malicious firmware updates, remotely monitor devices and access the user's home network.

At last year's Black Hat security conference, two researchers from Trustwave Security Labs discussed vulnerabilities in a number of home-automation systems, such as door locks, alarm systems, garage doors, lights, surveillance cameras and other electronic appliances that could be used to carry out covert surveillance and gain entry to buildings.

MORE: Hacking the Internet of Things

The famed late hacker Barnaby Jack demonstrated how to hijack wireless insulin pumps to deliver potentially fatal doses from across a room, or hijack wireless pacemakers to stop hearts  — a scenario borrowed by the TV series "Homeland" — or deliver electric shocks.

Security is not always a priority

Researchers have called on manufacturers to secure connected devices, but hardware engineers developing the devices often don't have experience in physical security or cybersecurity. Companies may not prioritize security because it would slow development, making it more likely that a rival will launch a competing product first.

Even when notified of flaws, manufacturers may not respond accordingly. Trustwave found one company that claimed its products were as secure as any home-automation system on the market, and another that said potential attacks required too many extra steps and variables to be a threat.

"The problem with this process is that no one entity has any incentive, expertise or even ability to patch the software once it's shipped," noted Bruce Schneier, chief security officer of Co3 Systems and a well-known security expert, in a blog post earlier this year.

To complicate matters, most connected devices, which use "embedded" software built into their chips, can't be easily patched. Imagine an automaker having to tell customers the cars they bought three years ago were no longer safe because the software was out of date.

Even if the hardware can be patched, there are problems. Software upgrades frequently create glitches when deployed across a wide range of users because of software conflicts or other issues with specific types of hardware, noted Andrew Rose, a principal analyst with Cambridge, Mass.-based Forrester Research, in a company blog post in May.

"When your endpoint is traveling at 70 mph on a crowded highway, that’s not the time to find out that the software upgrade has a flaw, or that it corrupted an essential feature," Rose warned.

Changing the security model

"If we don't have a fundamentally new security model, then I don't know how we're going to enjoy the Internet of Things," Dan Kaufman, director of the Information Innovation Office at the U.S. Defense Advanced Research Projects Agency (DARPA), told attendees at the recent GigaOm Structure conference in San Francisco.

"Patch Tuesday for your car or your insulin pump doesn't make a whole lot of sense," Kaufman added, referring to Microsoft and Adobe's monthly rounds of software updates.

Until manufacturers start building with security in mind, or security companies come up with tools that can be used to secure the Internet of Things, there are a few things users can do to protect themselves.

Ford recommends segmenting a network, even a home Wi-Fi network, to keep Internet of Things devices separate from computers, routers and smartphones, and taking advantage of existing network defenses, such as firewalls and intrusion detection and prevention systems.

Widespread attacks against the Internet of Things are not yet here, Ford noted, which means there is still time to think about what the threats will look like, to come up with strategies to secure devices and to get companies involved in protecting them.

"We need to be thinking about solutions," Ford said.

Follow us @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 0 Hide
    godnodog , July 18, 2014 8:33 AM
    How about !"if is not needed, is not connected".
    I can see in the future marketing campaigns "It does not require internet connection"
  • 0 Hide
    FRANK YOFU , July 18, 2014 3:56 PM
    WTF?!! Are you serious? Maybe radiation but being attacked by a toaster, c'mon!
  • 0 Hide
    LePhuronn , July 21, 2014 2:09 AM
    Well if you're stupid enough to hook your pacemaker up to the internet then you deserve everything you get.
  • Display all 5 comments.
  • 0 Hide
    virtualban , July 21, 2014 3:25 AM
    The doctor can come get my printed logs. They don't need to monitor my health and heart in real time. Neither do my children or neighbours. Neither does the robot that is put in care of me, as the elderly. I am a voting citizen, and I deserve my right of health privacy, away from hackers, and glitches and bugs that will give me my medicine at the right time. Of course, I cannot tell which medicine it is, or how much I should take, but I learned and wrote it down 20 years ago when I got my medicine and now the electronics system only makes sure I get my fix every time I go to the pharmacy. Because no hacker or system malfunction can mix up the details, no careless doctor may mistake one bottle for another, no sweatshop slave will ever mistake anything, no robotic or human controller will check something within the parameters of their sensors but miss something outside of their scope. No, nothing like that can ever occur. So, I only need to fear inside my home, but outside, I may be robbed and attacked, I may have to travel with my arthritis and whatnot to the drug store, or to the door so the delivery person may give me my medicines... but what's a bit of discomfort for security? No? Airport Security? Terrorism threats and good NSA guys monitoring everything so they can catch those damn terrorists? And I will understand they mistaking me for a terrorist because I researched the wrong word on google. It was my fault after all. I am glad to even pay the fees for their investigation, capture and information delivery expenses. I am a good cog in the system. And I can vote. Though, not sure about this last part.
  • 0 Hide
    Ben Myers , July 21, 2014 5:54 PM
    I think I'll keep my things off the internet. All we need are some malicious terrorist hackers who target a specific device, write the code, then go and mess up the device, whether it is your car, your refrigerator, or your medical device. Don't forget that these are largely embedded systems, which do not have the ability themselves to notify you that a terrorist attack is coming. Well, I guess that terrorist attackers could blackmail the manufacturers of the device, couldn't they? And the manufacturers would have mega-insurance to cover them for all the class action lawsuits or wrongful death lawsuits that ensue when their crap gets hacked. IoT??? Fugeddabout it!
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter