As many as 50 billion devices are expected to join the Internet over the next five years in a connectivity frenzy called the Internet of Things (IoT). As exciting as it is to imagine a world in which everything is connected and chatting, there are some unique challenges product developers will encounter. Devices have a way of living for years, and the security and management issues when billions of them are in the field are unexplored territory.
A striking example of these new risks occurred recently when hackers were arrested for stealing more than 30 Jeep SUVs by using laptops to bypass the vehicles’ ignition systems. According to Autoblog, the thieves were able to access Fiat Chrysler’s DealerCONNECT software and reprogram it to accept a generic key. Once they cracked one car, the rest were easy.
And Jeeps aren’t the only vulnerable candidates. Two different presenters at the recent DEF CON conference showed how 12 out of 16 “smart locks” could be wirelessly picked using less than $200 worth of off-the-shelf hardware and software. Three of the locks transmitted passwords across wireless networks without any encryption whatsoever. In other cases, the attackers wirelessly recorded a sequence of codes that a building owner used to open the locks and then simply played back the recording. Another lock opened by default when it couldn’t understand the sequence of code it received, probably a safety measure, but also a security hole.
From keys to bits
Two unique characteristics will mark the age of the Internet of Things.
- Many operations that were once done by physical means – such as unlocking a door – will be done with software. Software is inherently subject to manipulation.
- A lot of the communications will take place over wireless networks, and wireless networks are much easier to hack than wired ones.
My home thermostat is Wi-Fi enabled, giving me the freedom to set the temperature remotely. That’s great, but what happens when a prankster hijacks it and sets it to 100° while I’m away for a week? Or if that prankster installs a wireless network sniffer on a telephone pole in my neighborhood and intercepts the garage door codes for every house on the block? Wireless sniffers make such activity trivial.
The implications are even more grave in a world of autonomous connected vehicles. If steering and acceleration systems can be hacked and commandeered, cars could literally be hijacked while people are still riding in them.
There’s no doubt that the companies that are designing these next generation products are already thinking about these issues, but there are no standards, and IoT promises to be a hyper-competitive market (Just look at the number of fitness trackers that are out there). Details tend to get overlooked in the race to get to market.
Over time, standards will emerge and security will improve, but then another problem emerges. “Things” don’t get updated as frequently as smart phones or PCs. When was the last time you changed the smoke detectors in your home? Most people never do. A security vulnerability in a 10-year-old smoke detector is likely never to be resolved, particularly if the manufacturer has discontinued the product or gone out of business. And if that smoke detector is connected to your home network, it becomes a vulnerability point. Don’t laugh; one of the biggest credit card thefts of the last five years occurred when hackers broke into a Wi-Fi access point at a retail location and worked their way from there into the corporate mainframe.
Designers in the IoT age will need to think of how to provide the automated convenience that customers crave without putting them at the mercy of anonymous evil-doers half a world away.
