Cybercriminals and Cybersoldiers: Why We Need to Secure the Internet of Things

10/08/2015 - 05:21

Andrew Heikkila

After Chinese President Xi Jinping visited the US in late September of 2015, an accord was reached in which the US and China have agreed to halt state-sponsored attacks on private corporate entities and citizens.

The question now is, “are words followed by actions?” This is an especially sensitive question in light of the most recent state-sponsored hack on government databases that saw the theft of personal data from 21.5 million government workers and 5.6 million sets of fingerprints - and even more so because of the continual growth of the Internet of Things.

You’d have to be living under a rock for at least the past year not to have heard about the “Internet of Things” (IoT). From texting smart fridges, washers, and other appliances to wallpaper that can display messages, it seems that everything nowadays is connected to the internet. Uber, for example, will conjure you a ride in a matter of minutes from the same smartphone that might be monitoring your pacemaker, as well as your home security system. Devices such as the Homey will ensure that your heating and air-conditioning are primed to create the perfect climate before you even step into your house, where your favorite music will already be playing over your home entertainment system. Sound almost too good to be true? Well, that’s because it almost is…

If you can remember far enough back to the days when AOL Trial CDs came in the mail, then chances are either you or somebody you know accidentally downloaded a virus, either via email or some other hidden download. At worst, we’re talking about stolen credit card info and lost finances--but more often than not those viruses were mostly made to troll, freeze your computer up, and delete your files.

As time has gone on, more and more of the average cybercriminal’s efforts turned away from simple vandalism to focus on more advanced attacks on valuable targets designed to access bank accounts via phishing, for example. Even more common (60% of data breaches) are attacks on corporate entities that lead to the identity theft of their users. These attacks rely on weaknesses in infrastructure called vulnerabilities, and the way that the Internet of Things is being built is full of vulnerabilities.

When computer software companies find out that they have vulnerabilities, they’ll usually release a patch (one of the reasons you’re constantly updating your iOS or your Android operating system, as well as app versions). The IoT is connected through routers that are chock-full of these vulnerabilities--and what’s worse is that there is no easy way to patch them. Essentially, access to the IoT is open to anybody that wants it bad enough.

The poor state of security for the IoT not only puts more of our personal and financial information at risk, but it invites unchecked control of actual physical objects around us. We’re talking about the ability to take control of your home security systems (including baby monitors), wirelessly carjack your vehicle, or even kill you by hacking your pacemaker. And this is where it comes full-circle. The more we integrate our lives with the IoT (especially in the cavalier, profit-at-all-cost way that we have been), the more we are putting lives at risk.

All of this might sound extreme, because so far the biggest casualties to cyberwarfare have been pocketbooks--but cybersoldiers are not fictional Robocop looking androids of the future. They’re real and operating out of China at this very moment, and unless people start looking at the potential harms and making big changes in the way that we treat the Internet of Things, we’re inviting an incident that will spur us to action. Furthermore, the US CYBERCOM is in the midst of "recruiting 6,200 cyberwarriors" to help thwart future attacks.

Fortunately, while a secure IoT may not be easy to create, it’s not impossible. Sanjay Sarma, one of the researchers that laid the groundwork for the Internet of Things, thinks that standard, open, and mandatory architecture is needed to make everything as secure as it is needed to be.

Still, when Cisco systems accounts for one-third of corporate data loss incidents being caused by unauthorized programs installed by employees, and the average security breach due to lack of encryption costs approximately $3.8 million, it looks like the first step toward change is that companies simply need to start taking security more seriously. If companies were actually held responsible for these issues, we might see true progress.

One thing is certain: your information is out there, and it’s valuable to somebody. What are you doing to protect it?