Blog: Holes in the net are weaponising IoT

In the past few weeks we’ve seen death by autonomous Uber, warnings about spying toasters, a major US city crippled by a cyber attack, and the beginning of a pivotal conversation with the Facebook-Cambridge Analytical data scandal that could lead to a tipping point in our relationship to the internet.

All of these point to a lack of preparedness for the dark side of the Fourth Industrial Revolution we have all entered into, whether we’re aware of it or not.

Last week in London experts gathered to tackle the challenges and future risks of IOT security.

Hosted by Petras (Privacy, Ethics, Trust, Reliability, Acceptability, and Security for the IoT), IoTUK, and the Institution of Engineering and Technology (IET), ‘Living in the Internet of Things: Cybersecurity of the IoT’, explored the emerging risks of data and IoT security, as well as what people, industries, and governments can do to circumvent disaster.

“What we know is the problem’s getting bigger, the threats are getting worse, and it’s not going to get any better,” said keynote speaker, Greg Akers, SVP Security and Trust Organisation, Cisco.

In our rush to connect everything to the internet, from thermostats to cars to CCTV, vulnerabilities have overtaken the means to protect these systems, creating susceptibility for seemingly innocuous objects to be turned into cyber weapons.

At the event some of the world’s leading experts on IoT security shared their latest research and thoughts on navigating the intricacies and challenges the security of IoT pose.

Following a week that was a stark reminder of the intrinsic value of our data, we can be sure that our future is all about data: Who owns it, who controls it, who has the fastest algorithms to analyse it, and who regulates it.

With an estimated 30 billion connected devices to be active by 2020, the landscape of potential attack is expanding rapidly, and entry points for devastating interference can be as mundane as a coffeemaker connected to Alexa.

Research shows that 66% of people are concerned about the hacking of their internet connected products, and yet 72% don’t know how to secure their devices. And this problem is not just limited to consumers.

Stacy Cannady, a specialist in cyber resilience and mitigation of cyber risk for Cisco Systems, highlighted the need for a common language to be established to understand risks, compare security products and procedures, evaluate threats, and set some standards in what actions can be taken to improve them.

The lack of ubiquity in IoT poses a problem, but at the same time it is also currently saving us, says Professor Dame Wendy Hall, Executive Director Web Science Institute, University of Hampton. It is buying us the time we need to figure out what it means to live in and secure a super interconnected world.

She is an advocate for establishing a ‘Data Trust’ that would provide the ability to step up frameworks to create a ‘data sharing economy’, arguing that this is key for innovation to thrive.

 

For example, a SME with a great new solution in the healthcare industry should be able to access the data they need to prove value without breeching NHS data protection.

This is where the distinction between data and information comes into question, as we can only trade and own data, not information. It also reminds us that the line between personal and non-personal data is a moving target.

“The web is a social machine,” says Hall, “and we’re dealing now with the unintended consequences of the power of a global information system.”

The internet was co-created by people and machine, where people did the creative and the computers did the admin. Now machines can do both.

With AI increasingly becoming embedded into objects, machine-to-machine communication becomes much more prevalent, and humans will be cut out of the conversation, lacking the ability to understand the machine’s language, introducing a whole new set of problems.

In a talk based on his whitepaper titled ‘Using graph databases to assess the security of thingernets based on the thingabilities and thingertivity of things’, Matthew Lewis of the NCC Group offers a new method for identifying attack paths of interconnected networks. A ‘Thingernet’ is a group or system of interconnected things.

When mapped we can see all possible communication paths, like Bluetooth, WiFi, Ethernet and sound, and potential breech points.

Everyone agrees that collaboration between academia, industry and government is vital to the health of IoT security. Privacy by design, meaningful consent, and raising awareness of data points and safe behaviour are also important to attack defense, precedures, and recovery moving forward.

In the years to come things could get worse before they get better.

Legacy frameworks will need to not just be updated but replaced, as the quickly growing attack surface exceeds current capabilities. Consequences of attacks and data breeches may lead to alternative internet architectures, new governance regulations, geopolitical cyber warfare, and a global breakdown of trust.

The good news is we have Petras, IoTUK, the IET and their community of experts to guide us down these unchartered paths, even if no one knows where they might lead.