3 minute read
1 Introduction
From homes to hospitals, the power grid, the highway, and the high seas, the Internet of Things (IoT) is destined to change the way people live, do business, and interact with their governments. The IoT's massive interconnections of devices, or "things”, lead to new efficiencies and capabilities, and unlock tremendous value for consumers, organisations and governments. Imagine an intelligent hospital system that links patient monitoring devices with drug infusion pumps to prevent overdoses and reduce false alarms. Or a smart city that automatically schedules maintenance work to minimise street blockages and uses smart lighting to de-escalate conflict situations in real time13. Or connected farms that control their irrigation systems based on the moisture content of the soil and on the weather forecast, all the while deriving algorithmic insights into optimal ways to grow and water crops. IoT is one of the key enabling technologies to realise these visions.
The number of IoT devices in operation continues to grow exponentially. Gartner forecasts that the number of connected things in use globally will surge from 8.4 billion in 2017 to 20.4 billion by 2020, with total spending on endpoints and services exceeding $2 trillion.14
Smart cities and smart nations15 are enabled by the adoption of IoT along with related technologies such as cloud computing and big data analytics. These technologies can improve government operations, support better living, create new business opportunities, and support stronger and safer communities.
But the aforementioned opportunities come with enormous challenges. Beckstrom’s Law of Cybersecurity16 is a recent Internet aphorism that, slightly paraphrased, states the following: 1. Anything attached to a network can be hacked. 2. Everything is being attached to a network. 3. Therefore, everything can be hacked.
This pronouncement has proven largely accurate. In December 2015, VTech, a manufacturer of educational toys such as electronic learning devices, announced a security breach exposing the personal data of over 6 million people.17 Reports suggested that the breach exploited a SQL injection vulnerability at the server and that the account registration services did not use encrypted communication.18 The devices themselves were not compromised; however, the online services that the devices connected to were not sufficiently secured. On October 21, 2016, multiple distributed denial-of-service (DDoS) attacks targeted Domain Name System (DNS) provider Dyn, causing major Internet platforms and services to be unavailable to users in Europe and North America.19 The attack was accomplished by issuing a large number of DNS lookup requests from as many as 600,000 Internet-connected devices20 – such as printers, IP cameras, residential gateways and baby monitors – that were infected with the
13 https://www.tue.nl/en/our-university/departments/built-environment/research/smart-cities-program/collaboration/living-labs/stratumseind/ 14 https://www.gartner.com/newsroom/id/3598917 15 https://www.smartnation.sg – Singapore Smart Nation website. 16 https://dld-conference.com/articles/its-a-mad-mad-mad-cyber-world 17 https://www.vtech.com/en/press_release/2018/faq-about-cyber-attack-on-vtech-learning-lodge/ 18 https://www.bbc.com/news/technology-34963686 19 https://www.theverge.com/2016/10/21/13362354/dyn-dns-ddos-attack-cause-outage-status-explained 20 https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/ 11
Mirai malware to create a “botnet”; Mirai was also used for similar attacks on websites such as Krebs on Security.21 On June 25, 2019, a new IoT malware called Silex was found to be wiping device firmware after gaining access via default credentials – the standard user name and password that devices are shipped with. The malware, which only operated for one day, managed to brick thousands of IoT devices.22 These examples highlight two primary risks facing IoT23: 1. Consumer privacy and safety are being undermined by the vulnerability of individual devices, connectivity, and back-ends; and 2. The wider economy and critical infrastructures face an increasing threat of large-scale cyber-attacks launched from massive numbers of insecure IoT devices.
INTERNET OF THINGS (IOT) THREAT LANDSCAPE
HISTORY OF ACTUAL EVENTS
Multi-kiloton pipeline explosion
Critical infrastructure sites affected
Cars: digitally stolen, remotely crashed Steel mill blast furnace damaged
Larger scale power grid crashed
Hospital breached via medical devices
Figure 1: IoT Threat Landscape: Actual Events (Source: Symantec)
21 https://krebsonsecurity.com/ 22 https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/-silex-malware-bricks-iot-devices-with-weak-passwords 23 Secure by Design: Improving the cyber security of consumer Internet of Things. Policy report UK Government, March 2018.
