Internet of things: humble lightbulbs could become a form of attack

If anyone in the technology industry believes the cyber security risk posed by the internet of things is exaggerated, then Daniel Miessler, a director at IOActive, a security company, is keen to put them straight.

IOActive has published a paper detailing how its researchers were able to take control of a sport utility vehicle without the investigators even touching the car.

The consequences of this type of attack could have lethal consequences, Mr Miessler says, but attacks on cars could be insignificant compared with risks to public transport, energy and utility networks and healthcare services.

Attacks could affect “infrastructure that is deeply ingrained [such as] power distribution, which is core to what we need as a civilisation”, he adds.

Mr Miessler warns that assaults on critical infrastructure could even become common, both as a result of conventional warfare or cyber attacks.

His view is widely shared by those in the industry.

One reason for their concern is that older equipment in areas such as transport and utilities is being connected to networks — even the internet — for maintenance and monitoring.

Much of the existing equipment was designed for a pre-internet era and lacks the security and protection measures contained in a personal computer.

Cesare Garlati, chief security strategist at the PRPL Foundation, a non-profit open-source software group, says much of the hardware used in the internet of things, including older industrial control systems, were not designed to be “patched” or updated in the way a PC is. This leaves potential security flaws open to attack.

Industrial systems are not the only ones criminals might exploit. Many common connected consumer devices also face cyber hacking threats.

“Things that are independently not that dangerous can pose a risk if they share information,” says Mr Garlati.

“No one will be too concerned if you hack a car radio, but they will be if you can move on to attack things that are critical in the car.”

He points out that in-car electronics and entertainment systems are more linked than ever.

Personal devices could also act as a “back door” to companies’ computer systems, while the data they gather bring another set of security challenges and might even put a user’s company at risk of attack.

Chris Underhill, head of information technology at consultants Cyber Security Partners, says that even something as seemingly simple as data gathered from a person’s fitness band could help outsiders to launch a cyber attack against the user’s company.

He says criminals may be able to see when security personnel are on breaks, or when few people are in the office, so an attack might go unnoticed.

Hackers could even take over thousands of devices, some as simple as a lightbulb, to disrupt a business or even a nation. Switching off one lightbulb could be a prank; plunging an office into darkness could disrupt a business; turning thousands of lights off and on at once could disrupt a whole power grid.

“People don’t think what might happen if someone tries to do something malicious to a device,” warns Justin Lowe, a security expert at PA Consulting Group. “An unimportant device might become important if connected to a critical system.”

Despite these concerns, few observers believe the development of the internet of things will slow down because it has too many potential benefits.

“Humans want to be able to interact with machines in very efficient and expedient ways, and machines can benefit from interacting with machines in that way too,” says Mr Miessler.

“It could be a toaster wants information from the refrigerator but it could be it wants information from the city’s [power supply system] as well.

“There is a benefit from having them connected in a faster and more direct way,” Mr Miessler adds. “But people are rushing towards that connectivity, and we have to deal with the security implications.”