Hijacking “smart” toasters and refrigerators and hacking corporate ventilation systems are among the new threats envisioned by cyber security experts as an increasing array of items are connected to the internet.
The Internet of Things, a movement that seeks to control everything from factory equipment to traffic lights and household appliances through the web, creates vast opportunities for improved efficiency and convenience. But unless companies address the emerging cyber security risks, the Internet of Things (or IoT) will fail, said Stephen Pattison, the vice president of public affairs at ARM Holdings Plc, the U.K. semiconductor company.
“We ain’t seen nothing yet,” Pattison said, speaking on a panel at the Security Innovation Network’s U.S./U.K. Global Cybersecurity Innovation Summit in London Tuesday.
IoT is such a nascent area the fact that there have been relatively few cyber attacks targeting industrial control systems or equipment other than computers doesn’t mean such systems are necessarily safe.
It’s the risk to critical infrastructure from internet-enabled industrial control systems, such as those that help run nuclear power plants or chemical factories, that has received the most attention from national security agencies, Alison Vincent, chief technology officer for Cisco’s U.K. and Ireland businesses, said. As a result, many of these networks have already been fortified against possible cyber attacks. Instead, consumer devices may pose a greater risk, particularly in terms of privacy and data protection.
“Consumer technology is the Wild West,” she said.
Paddy Francis, chief technology officer for Airbus Group SE’s Defense and Space division, warned of the risks posed by increasingly internet-connected household appliances. The sheer number of these appliances — from coffee makers to refrigerators to televisions — and the relatively weak firewalls of most household wireless networks, could make such mundane items attractive to cyber criminals for use as “botnets” in so-called denial of service attacks, in which a hacker disables a website by flooding it with specious message traffic.
Francis also worried that “cyber-assisted burglary” might become increasingly common, with criminals hacking into household networks to extract data from routine items — like smart-metered lighting or heating systems — to determine if the occupant was home, looking for the best time to break in.
Jeremy Watson, vice dean of engineering sciences at University College London, said even something as simple as allowing a large office building’s facilities team to control the heating and air conditioning systems through a mobile phone app — one often cited use of IoT technology — posed a potential risk. He said, for example, a disgruntled employee with access to the system might use it to cause temperatures in a server room to soar, resulting in computer failure.
Even if such internet-enabled devices were built with good security measures initially, the evolving tactics used by hackers and cyber criminals mean that security protocols need constant updating. Another concern is whether businesses and households would be able to keep on top of this process, Watson said.
“What if you have an IoT fridge and it is not being updated,” he said. “The real question is, how do you get protection by default?”
Pattison noted that a number of car companies, such as Tesla Motors Inc., already provide updates of their software automatically over mobile and wireless connections. While that’s one solution to the problem, even these automatic patches pose a potential risk as hackers could seek to interfere with the updates or even use a fake update to insert malicious code into a vehicle’s software. And as automobiles become increasingly autonomous, the risk posed by such hacking increases, he said.