Cyber Security: The Internet of Things = The Internet of Hackable Things

Imagine this:  While you’re away on vacation, a criminal hacks into your smart house, turning off the power, alarms, and everything else.  Their pal the burglar is then free to break in and steal everything.   Your TVs, jewellery and stereo equipment are gone, the cybercriminal hacks back in, turns on the gas and ignites the house, destroying all the evidence.  Sound like science fiction?  This could be reality within just a few years. There are some changes coming to the internet that are already foreseeable. The transfer of the internet from IP version 4 (4 billion addresses) to IP version 6 (100 billion times that number) will happen: It is not “if,” but “when.”  And we’re already seeing the internet move from our computers and personal gadgets to everyday household devices like cars and appliances—the so-called “internet of things.”  These changes will bring another leap forward in innovation compared to which the birth of the original internet will seem small.

With that leap will come an increase in cybercrime.  Whether we like it or not, cyber security will become a major focus in the next five years.  The problem will be people trying to protect themselves when using the greatest communication device ever invented, without having any idea how to do it. The introduction of the internet of things—the next step in the internet evolution—will mean everything is connected to the internet.  This brings new problems.  In Dallas, about 12 months ago, a high-level government contractor was hacked.  It was not through the firewall, nor through a silly mistake in configuration or an even sillier mistake caused by someone clicking on infected malware.

The hack was done though a controller for an air conditioning unit within the boardroom.  This aircon had an IP address and systems where it could call back to the manufacturer if it needed servicing or filter changes.  This system was hacked and the aircon was turned into a listening device.  Try explaining that to your board of directors!

In some places in the world, the internet of things is already here.  New cars manufactured in the last couple of years have up to ten subsystems, each with its own connection to the internet.  Each one is a part of the internet of things.   At the most recent Black Hat conference in Las Vegas, one of the demonstrations was on a new car’s unassisted parking system.  The presenters showed how easy it was to compromise this system with a Bluetooth keyboard and the right codes.   These codes have already been publicized on the internet.  In most cases, these types of attacks are really easy for the calibre of people at these conventions. Are there any steps we can take to make life harder for hackers and cybercriminals?  Yes—but in most cases, they’re being ignored.  The problem with the internet of things is that the software that is being written for these systems is substandard.  Yes, it will have functionality, but there is no thought to security and protective processes.   Most software writers are too lazy to use complicated passwords, remove hard coded default passwords, make use of two-factor authentication, or even use plain common sense to write secure code.   I personally do not want to drive down the road and have my airbag deployed by some clown in the next car.

I know that to write secure code takes a little longer, and I know with that time difference will come an increase in cost.   In most cases, the mitigation of risk is covered with large check books and high-level legal fees.  The code writers only put in the time to mitigate risk if the client pays extra for it. Most code writers hide behind their license agreement and do not invest that additional time in creating secure code.  Instead, they should take responsibility for minimizing risk.  It should be a primary focus of their software creation.

The internet of things is here to stay.   As more and more systems are connected to the internet, cybercrime and cyber security will increase exponentially.  How can you protect yourself?  As a buyer, be wary of any “smart” appliance unless the manufacturer can assure you that it was created using the highest standards of secure coding.  And remember the sad fact that with increased connectivity comes increased risk.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.