By 2020, over 20 billion interconnected devices will be online, according to a recent NewtonX report on the Internet of Things. The digital world will be increasingly connected, with everything from national infrastructure to running shoes sending information to and from other connected devices. The Internet of Things will provide immense opportunity for smart cities, hospitals, and homes — but it will also come with immense security risks.
These risks have already begun to surface: in 2017, security concerns led to the recall of half a million pacemakers over fears that a hacker could manipulate the heart-regulating device through security gaps. By some estimates, over 90% of all enterprises have been hacked. Robert Mueller famously stated “There are only two types of companies: those that have been hacked and those that will be.” In 2016, cyber breaches cost businesses close to $4B — and exposed hundreds of thousands of records. In the first half of 2017, attacks on IoT were up 280% — and the NewtonX panel of experts anticipated that by 2021 over a third of all cyber attacks will target IoT devices.
NewtonX conducted a survey in early 2017 with over 30 cybersecurity experts with backgrounds at companies including McAfee, Lockheed Martin, IBM Security, as well as former U.S. government cybersecurity advisers. This survey yielded quantitative results — including that businesses are expected to invest over $100B in cyber defenses by 2020 — as well as qualitative insights as to the expected state of security in the coming years.
The survey’s results indicated that there will be a chaotic period of adjustment to IoT that will result in major security breaches. This period is expected to last a minimum of two years, as security providers learn how to best protect data, processing procedures, and access control.
What’s at Stake: our Hospitals, Homes, and National Infrastructure
IoT isn’t just for connected coffee machines and light controls — in fact, its biggest applications (and security breaches) will be in institutions. The NewtonX survey indicated four key areas in which IoT will be heavily used, and just as heavily abused:
1. IoT in the house
Smartspeakers are the first of many interconnected devices that will make homes increasingly digitized. Already, Alexa can control your lights, door locks, coffee maker, thermostat, camera, television, home theater system, and can turn practically anything that can be plugged into an outlet on and off. While this is certainly convenient, in late 2017 independent researchers and NewtonX experts identified weaknesses in Alexa that made it susceptible to airborne attacks. Already, researchers have identified key ways in which attackers can access user’s phones — the command point of all interconnected devices— such as through Key Reinstallation Attacks. The potential for malicious intent is large: hackers could gain access to homes and rob them, or, more likely, they could hold access to a home or information gleaned from devices hostage until the owner pays a ransom. The highly interconnected nature of IoT devices means that they’re also capable of spreading malware from system to system with no human interaction.
2. IoT in hospitals
As early as 2014, the healthcare sector poured $58.9 billion into IoT devices. The biggest use case for IoT is bringing critical hospital objects online. For instance, many hospitals now track hospital beds using sensors, that tell operators when a bed is free. This may seem small, but can actually reduce emergency room wait times by as much as four hours.
Additionally, sensors can alert hospital monitors to when machinery is about to break down — much in the same way that airplanes currently function. This keeps the hospital running smoothly, and reduces the chance of machine breakdown during a critical moment.
Hospitals need extremely robust cyber security, though. The potential to wreak havoc on a large population of vulnerable people is high, and therefore protecting against cyber attacks is extremely important in these settings. In the last year alone numerous companies (including Johnson and Johnson and St. Jude Medical) have discovered cyber vulnerabilities in pacemakers, insulin pumps, and defibrillators. The potential for a ransomware attack that would hold vital systems hostage until the hospital shells out millions could be absolutely devastating.
3. Critical national infrastructure
Connecting national infrastructure such as nuclear plants and dams, in many ways helps society. It prevents breakdowns, helps with safety, improves efficiency, and even reduces emissions (in coal plants, for instance). Through remote prognostic condition monitoring, we can prevent breakdowns, automate the interactions of different machines, and get real-time data on performance.
But this requires tens of thousands of sensors — and if any one of them is hacked, malware could spread to an entire power plant. Considering that modern life is highly dependent on power, this could have catastrophic ramifications for communities.
4. Smart cities
According to the NewtonX panel, fully smart cities will not become a reality for another half decade at least. That said, there are aspects of cities that are already reliant on IoT. For instance, one expert pointed out that regulation of temperature in public buildings is often done through sensor-based IoT technology. Traffic lights are similarly monitored — and with good reason: traffic congestion alone accounted for $160B in wasted time and resources in the US in 2015. But if this system were hacked on a large scale, the costs from just five hours of ransom could be enormous.
“Imagine the havoc that a hacker could cause just by taking control of traffic lights — they could shut down an entire city,” declared a former cybersecurity lead at Lockheed Martin. “That’s a pretty appealing option for someone considering ransomware.”
As IoT Comes of Age, Defenseless Systems Are Multiplying
The multiplication of devices is making us infinitely more vulnerable.
The NewtonX panel pointed out that this is not the first time that new technologies have made us susceptible to attack — after all, just look at the 2016 US presidential election. As with social media and data privacy attacks, IoT will come with a host of new problems that we will learn to deal with as time goes on. Furthermore, ambiguities in the Computer Fraud and Abuse Act have left many companies and their cybersecurity teams unsure as to how proactive they can be against attacks without breaking the law.
“Already, we’re preparing for an interconnected future with at least four times the number of connected devices that we have today,” said a senior-level former employee at McAfee. “But we won’t know the full scope of vulnerabilities until the technology has been widely implemented and attacked.”