Some say it was the refrigerator what done it. Others say it was innocent, and it just happened to be in the same place (well on the same network) as the real culprit. But whether or not the refrigerator was innocent, the Internet of Things (IoT) is still a big cyber security risk.
Think of the disruption a dedicated hacker could cause. Access lighting or heating systems and you could make the office buildings of a competitor uninhabitable. Access security systems and you could look people out of certain rooms, or perhaps in them, if you were really mean.
Denial of service attacks
One potential problem is malicious people using IoT devices such as routers, security cameras, printers, and yes even fridges, to act as “bot nets”, networks of remotely controlled computers, that can be used to launch cyber attacks. (Rather delightfully networks of IoT devices used in this way are sometimes called thingbots.)
Perhaps you won’t mind too much if your security camera is part of a thingbot that wrecks a competitor’s ability to trade online. (But perhaps you should if your negligence can be proved to have caused damage to someone else.)
Attacks on industrial control systems
Physical damage to machinery is another potential disruption risk. The most well known example is the Stuxnet “worm” that managed to damage Iraq’s nuclear centrifuges. The malware was apparently circulated on USB sticks left lying around in convenient places so that the centrifuges, isolated from the wider Web, could be targeted via the means of a careless person using one of the USBs in the wrong place.
Stuxnet wasn’t really an example of an IoT cyber attack because the centrifuges were not connected to the Internet. But it’s not the only time a machine has been damaged by a cyber attack. Late last year massive damage was caused to a German steelworks that suffered a cyber attack. Attackers used scam emails to steal log-in information and then gained access to the steelworks control systems, causing an unscheduled shutdown of a furnace which in turn caused the damage.
Capturing data: network hacking
What else can go wrong? Well, IoT devices massively expand the “attack surface” of organisations. Instead of protecting corporate information networks, IT managers now need to protect all those devices that may be attached in some way to the IT network. Often these devices are not well protected and represent security weak spots where information can be stolen or altered. Hacking into a network via smart lighting systems that are only protected with default passwords is one way (a theoretical account of how this could be done can be found here).
Supply chain weaknesses can cause network risk
People, often trusting, sometimes lazy, are frequently the biggest weakness in any security system. The Internet of Things expands that risk as the employees of companies who provide and service IoT devices are given access to corporate networks. People who are not directly employed are naturally harder to manage and so may be less cyber secure than regular employees. One of the largest hacks in recent times was suffered by US retailer Target who were penetrated via an employee of their air conditioning units supplier. The employee had access to Target’s systems for the purposes of maintaining the air conditioning units. But when his log-in details were hacked via a scam email, the hackers had access to the Target IT network, including files containing millions of customer credit card details, which they stole.
That’s not all though. Hack into a printer or scanner and you could have access to documents that are being printed. Start controlling security cameras (as has been done with baby monitors) and you have the potential to spy on companies or perhaps switch the cameras off prior to a burglary. Or plant spyware such as the Dragonfly malware on a system and use it to record and transmit proprietary information.
All in all…
The internet of things is only going to get bigger. As with all digital technology, security will never be perfect. So it is important to evaluate this risk in a measured way and avoid a panicky response. Organisations can protect themselves from the worst of the risk identifying all devices and systems that are connected to the internet, changing default passwords, and favouring suppliers of IoT systems that have a good security record. But the first stage will always be to recognise that the risk exists.