As reported by ComputerWorld: Imagine a fleet of quad copters or drones equipped with explosives and controlled by terrorists. Or someone who hacks into a connected insulin pump and changes the settings in a lethal way. Or maybe the hacker who accesses a building's furnace and thermostat controls and runs the furnace full bore until a fire is started.
Those may all sound like plot material for a James Bond movie, but there are security experts who now believe, as does Jeff Williams, CTO of Contrast Security, that "the Internet of Things will kill someone."
Williams, whose firm provides application security, doesn't know exactly how IoT might be used to kill someone or what device will be implicated in the nefarious scheme, but considers it a certainty that a connected device will play a role in a murder.
Similarly, Rashmi Knowles, chief security architect at RSA, said something similar in a recent blog post, imagining criminals hacking into medical devices and starting "a complete new economy" by blackmailing victims.
You can dismiss these concerns as hype or exaggeration, but many security community predictions about earlier Internet-related risks have become true. As businesses raced to develop Web platforms, security experts imagined massive breaches and thefts of personal and financial data in every way possible. There's no question they were right.
Today, there is a new "rush to connect things" and "it is leading to very sloppy engineering from a security perspective, which makes ... internet of things devices very attackable -- the way web applications were 10 years ago," said Williams.
There are industry verticals that are trying to avoid IoT security problems from the onset by setting up industry collaborations, said John Pescatore, director of emerging security trends at the Sans Institute.
One major effort, the Industrial Internet Consortium, was founded in March and includes IBM, HP, GE, Microsoft and Toyota, among many others. It is now working on IoT security issues. There are other industries, such as medical device and automotive, that are doing much the same thing.
Enterprise users, however, will have to integrate all these technologies, with multiple operating systems, and then make them all work together as a system, said Pescatore. He noted the difficultly it took to get security standards on a PC.
"I think it makes the system integration a lot harder," said Pescatore, and it was "hard enough doing PCs and servers."
New methods of securing IoT devices may emerge. For instance, in the scenario where a furnace runs constantly in an effort to burn down a house, the power passes through the electric utility, which can act like a managed service provider, or quasi-firewall, and take action when a power use anomaly is detected, said Pescatore.
Predicting murder via the IoT is, for now, nothing more than speculation. But the risks, and the types of risks, are increasing.
In a speech earlier this year, CIA Director John Brennan said that as "we move closer to what some are calling an 'Internet of Things,' there will be more devices and systems to protect -- and, equally worrisome, more that can be used to launch attacks."
No comments:
Post a Comment