In our roundup of significant predictions for 2014, we've looked at new attack targets, the rise of the national Internet, mobile security, and online payments. The possibility that attackers would target the "Internet of Things" was the second most common prediction among security experts, after mobile security. Symantec even dubbed the "Internet of Things" as the "Internet of Vulnerabilities."
Internet of Things refers to how consumer electronics devices now have an IP address and can be controlled remotely. Smart refrigerators, home thermostat systems, smart TVs, storage devices, medical devices, cars, sensors on the electric grid, exercise machines, and even garage door openers, are just a small sample of the Internet of Things.
Attacks Are ComingWhile still in early stages, as soon as next year smart refrigerators, locks and thermostats will move into the mainstream, said Andreas Baumhof, CTO at ThreatMetrix. The Internet of Things is not very different from other types of online activity; cyber-attackers will be able to hijack the wireless network or exploit a vulnerability to attack the network or steal personal information, he said.
We have seen some examples of potential attacks in various proof-of-concept projects at Black Hat and other conferences around the country. A Qualys researcher demonstrated how it was possible to exploit the vulnerabilities in the user interface for D-Link IP cameras to hijack the cameras and the image feed. The late Barnaby Jack demonstrated how to hack an insulin pump a few years ago and had been scheduled to discuss the risks against pacemakers at Black Hat this year. Former vice-president Dick Cheney revealed in October how doctors had disabled the wireless connectivity on his pacemaker over concerns that someone would be able to hack into the device.
However, hardware vendors rarely think about security—whether it's fixing bugs in the embedded software or addressing issues on the hardware side—when rolling out new devices to the market. Even when issues are identified, manufacturers frequently drag their feet about patching the vulnerabilities, researchers from Rapid7 said. 2013 was a big year for worms and other forms of exploitation for the Internet of Things, and as the rate of adoption for these devices explodes, we will see more types of attacks.
We have some time, though. Internet Identity said incidents where "malicious hackers will take advantage by burning houses down remotely and/or remotely turning off security systems to allow burglars inside," is not something we should expect in 2014, but in 2015, IID said.
Research, Proof-of-Concepts"While we don't expect attacks against the 'Internet of Things' to become widespread in 2014, we do predict an increase in reported vulnerabilities and proof-of-concept exploits," said Gerhard Eschelbeck, CTO at Sophos.
The security threats are broad and "potentially devastating" and organizations must ensure that technology for both consumers and companies adhere to high standards of safety and security, said Steve Durbin, vice-president of the Internet Security Forum. "It should be up to the companies themselves to continue to build security through communication and interoperability," Durbin said.
A small group of influential security experts are calling on researchers to focus their energies on these connected and potentially vulnerable devices such as pacemakers, insulin pumps and other embedded systems. The group, "We Are the Cavalry," wants to educate the general public about the serious issues present in these devices since they are hitting the market with little to no consideration about security, Josh Corman, director of security intelligence at Akamai and one of the leaders of the group, told attendees at OWASP AppSec USA conference in November.
"This is about doing research on things that matter rather than on things that frankly don't matter," Nick Percoco, director at KPMG and another leader of the group, said at the same presentation. If someone with a pacemaker dies, someone needs to be doing forensics on the pacemaker, he said. If the research community doesn't focus on these devices and publicize issues, "how are we going to know as a society that these things have flaws?" he asked.
"Let's do security that matters, not just our day jobs. The outside world is part of the solution set. This is security for the public good," Corman said.