It's Halloween and there are plenty of things to be scared of tonight. Creepy clowns. Zombies. Ebola. And, of course, murder. But we're not talking about murder by gun, or knife, or even the kind of "Mrs. White in the library with the candlestick," murder. Rather, the thing to be scared of tonight, on the last day of cyber security awareness month, is murder by Internet.
Murder by Internet is not just a very real possibility; it is an inevitability, according to international cybercrime experts. In fact, a 2013 report by cybersecurity firm IID predicts that the world's first online murder will occur before by the end of this year -- all thanks to the Internet of Things (IoT).
To put it another way, if IID's prediction is correct, someone will successfully use IoT technology as a murder weapon in less than nine weeks from today.
This is no crackpot theory, either. This month, Europol's European Cybercrime Center (EC3) Division has cited IID's report in its own recent assessment of realistic cyber threats -- explicitly stating its expectation of a rise in the number of malicious, network-caused deaths and injuries.
What's more, in the world of The New IP, there is no shortage of -- ahem -- killer apps for an aspiring hacker.
Thanks to Showtime's hit TV show Homeland, perhaps the best-known example is the hackability of a pacemaker. Former US Vice President Dick Cheney famously had the wireless capabilities of his pacemaker disabled so as to curtail a potential assassination-by-hacking attempt.
Other medical devices have security flaws as well. In July 2013, celebrated hacker Barnaby Jack died mere days before he could give a presentation at Black Hat USA where he planned to discuss such vulnerabilities. Jack had developed systems allowing him to, among other things, send fatal electric shocks to pacemaker-wearers and force insulin pumps to dispense lethal doses of insulin to diabetics. Jack further reported that it was possible to upload firmware to a company's servers that could infect multiple devices simultaneously -- virus-like.
In the past, the FDA, too, has warned of security backdoors in pacemakers, defibrillators, and other inserted medical devices that would allow hackers to remotely kill or injure a patient.
Vehicular homicide is a more-than-viable option as well. At last year's Defcon, two security researchers presented a host of frightening attacks that could be perpetrated on a car. Once access (whether direct or remote) is gained to a modern car's embedded computer system, a hacker can seize complete control over such things as the vehicle's brakes, acceleration, engine, steering, speedometer, odometer, fuel gauge, horn, seatbelt, lights and GPS. Researchers further demonstrated that a hacker could modify a vehicle's firmware to transmit attacks even after it's disconnected from the system.
Toyota has pointed out this research assumed direct access to the vehicle, but other research has previously demonstrated that a vehicle's embedded computer system can be accessed remotely through Bluetooth, cellular services such as OnStar, and other methods.
Cyber terrorism through IoT, too, is widely feared; industrial control systems have been targeted in the past -- some successfully so.
And these are but a few examples. There are also myriad IoT-enabled reconnaissance methods for those who want to do their research on their victims and get the job done in person; vulnerabilities allowing for remote spying have been found in baby monitors, "smart" televisions, and even children's toys. And while most of industry is talking about security-as-a-service, the Europol report warns about the rise of cyber-crime-as-service.
With all these ways to skin a black cat, what makes the matter all the more disconcerting is that many IoT manufacturers have a history of being lackadaisical about cyber security. Toyota, for instance, has publicly pooh-poohed the research demonstrating the hackability of its cars, ignoring evidence of remote hacking capabilities. Other automakers have been relatively silent on the matter.
Similarly, medical device manufacturers have had to be goaded by the FDA to make their devices more secure -- and the FDA wouldn't even do that until the Government Accountability Office prodded it to do so. Even more seriously, government agencies have also downplayed successful attacks on critical IoT-enabled industrial control systems.
The world of IoT is still full of things that go ping in the night. As long as IoT device-makers fail to provide a thorough, bottom-up approach to security, we remain vulnerable to the worst.
— Joe Stanganelli, freelance contributor, special to The New IP