CIA, Europol on Alert for Internet of Things Security Storm

Who would want to hack a fridge or a heating system? Remotely accessing fridges and turning up the thermostat to 25 degrees centigrade would certainly be annoying but what’s the point? It wouldn’t be the most efficient method of getting money or bringing down Governments. So why the fuss?

According to analysts and commentators the number of home appliances, heating and security systems being connected to the Internet of Things (IoT) poses a security risk. Last year research firm Gartner estimated that there will be 26.5 billion devices connected to the IoT by 2020. Cisco believes that over 50 billion ‘things’ will be connected to the internet by 2020. IDC forecasts the market will be worth $7.1 trillion over the next six years. Other reports vary on the numbers although it’s safe to say it’s going to be big - but that doesn’t always mean better.

According to Europol, this growing interest in IoT could mean a field day for cyber criminals as it creates a “wider attack surface and more attack vectors”. The CIA is also concerned. Dawn Meyerriecks, the deputy director of the CIA’s directorate of science and technology, was widely quoted earlier this year when she spoke at the Aspen Security Forum. She talked about how today’s cyber security concerns do not address the looming threat posed by IoT. Unfortunately she cited the Proofpoint fridge attack report as evidence. In January this year security firm Proofpoint claimed that a fridge was used as part of a cyber-attack but the claim was challenged by Symantec, among others. As a definitive source regarding threats it has since been approached with extreme caution.

So let’s get something straight. Can fridges really be taken over and host botnets resulting in spam emails and general mischief? Or is this scaremongering?

“At the risk of sounding trite, anything that has a general-purpose computer inside and is connected to a network in some way probably can, at least in theory, be used in some sort of cyber-attack,” says Alexandru Catalin Cosoi, chief security strategist at Bitdefender.

Trite? Maybe in the security industry but most businesses and consumers will have no idea what is and isn’t possible. Maybe we have to stop thinking of the threat in terms of individual devices and appliances and see this as a step change, the creation of a new gateway to a wider, much more complicated network of criminal possibilities? After all, data flows both ways and it is that return flow, into the large Big Data corporations (and increasingly local government datacentres) that will pique the interest of cyber crooks.

“In IoT the development of Big Data applications can only be achieved with trusted data, and trusted data can only be sourced from secured devices,” comments Beecham Research technical associate Haydn Povey, a former director of Secure Products at ARM Holdings.

The implication here is that the IoT is potentially a network of unsecured devices, which is why there is in fact a lot of commotion around the rapid growth of IoT and its simultaneous lack of security standards.

Povey, like Cosoi sees a data war looming on a different scale to what we have been used to. Inevitably cyber criminals will already be weighing up the opportunities worth pursuing and Cosoi expects this to be financially, rather than politically driven.

“We expect that there will be ways to monetise compromised devices. In the limit, even the raw processing power can be valuable – compromised devices might be put to work cracking hashes for instance, mining Bitcoins or other crypto-currencies.”

It makes sense. Povey suggests it can go further and become political too, which is why Europol and the CIA are so concerned.

For many critical machine-to-machine (M2M) systems there is a serious threat to Government and nations, says Povey.

“This is what has pushed governments to give stronger guidance on SCADA and Industrial Control Systems,” he adds, “but hopefully as we build out the IoT we will have learnt our lessons well and can avert this threat.”

There is a subtext here. Everyone is still learning. The industry doesn’t know what the exact threat will be or how prolific, but it knows through experience that it’s better to think worst-case scenario and work backwards than be caught with your pants down.

In September, Beecham Research released a study entitled ‘Evolving Secure Requirements for the Internet of Things’, warning that there is currently “insufficient security capabilities within the emerging IoT standards to manage the long life-cycles expected of many IoT devices.”

Professor Jon Howes, one of the authors of the report and Technology Director at Beecham Research, said that while we may have some visibility of potential attacks over a few months, we need to protect IoT devices in the field for 10 years or longer.

“Devices must be securely managed over their entire lifecycle, to be reset if needed and to enable remote remediation to rebuild and extend security capabilities over time,” he says.

The vendors will love this. What every tech company wants is a reason for an upgrade, to boost the sales cycles, to have greater leverage and communication with its customers. A new range of internet-ready devices will no doubt creep onto the market, espousing the convenience benefits of mobile and remote control but will the market really get it? Will people understand that their health data, energy use and driving habits will be uploaded and stored and potentially analysed?  

While the IoT threat is from criminals that want to harvest user data, use unprotected devices as a gateway to create havoc in national networks and use devices as power sources for launching spam and such like, not a lot has been said about the data that’s being collated. Is this for the benefit of individuals or a valuable source of market data for businesses to mine? Is the IoT just going to create one giant CRM system?

If I was a business and wanted to convince people to connect all their devices and buy new devices, security would be the first thing I addressed. Make sure it’s safe, and then they will come. That would be the company mantra. It’s kind of the approach taken by the Open Interconnect Consortium (OIC) that was launched in July to find security solutions and standards for the IoT. Last month open source security firm Gluu joined the growing list of technology names on the OIC membership roster searching for answers.

"Although IoT presents some new challenges, it’s important that we leverage the experiences of the last two decades of web access management," said Gluu CEO Mike Schwartz. "The basic idea that a person or an organization needs to centrally control access to something has not changed. By promoting the use of open Web standards we can ensure that the billions of devices connecting to the internet implement strong, modern security."

Good luck with that. The only thing that is clear about IoT security is that nothing is clear at the moment. There’s plenty of fear. The sheer potential scale of IoT is only fuelling the concern, at least among vendors. There seems to be a storm brewing and at the moment at least we don’t have a coat.

Worst case scenario?

“It’s more the purview of Hollywood script-writers,” says Cosoi.

Die Hard springs to mind although so does Idiocracy and, for the moment at least, I’m not sure which is most relevant.


Marc Ambasna-Jones is a freelance writer and communications consultant that has written about technology trends and issues for over 24 years for national newspapers, consumer and business magazines. He can be found on Twitter @mambjo


« InfoShot: US Tech Firms Lobbying Spend [Updated]


Solar Power: Energy Source of the Future? »
Marc Ambasna-Jones

Marc Ambasna-Jones is a UK-based freelance writer and media consultant and has been writing about business and technology since 1989.

  • Mail


Do you think your smartphone is making you a workaholic?