Perimeter

10/16/2014
01:50 PM
Marilyn Cohodas
Marilyn Cohodas
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

The Internet of Things: 7 Scary Security Scenarios

The IoT can be frightening when viewed from the vantage point of information security.
Previous
1 of 8
Next

What's not to like about the Internet of Things? You drive to work in your connected car while the GPS automatically navigates you away from a traffic jam that would have parked you on the expressway for two hours. At the same time, your onboard messaging app reads you an email from your boss telling you that you've earned a 10% raise for your big project.

The nightmare scenario might look like this. You take a taxi home after work because a hacker breaks into your car's WiFi, takes control of the steering wheel, and crashes you into a tree. When you arrive, you are greeted with a strangely worded email asking for a ransom in exchange for the return of an embarrassing photo of you at a recent party you thought was beyond reach and securely hidden in your camera roll in the cloud.

Love it or fear it, the Internet of Things is fast becoming a reality. By the year 2020, the analyst firm Gartner predicts, there will be more than 26 billion Internet-connected "things" -- not including PCs, tablets, or smartphones -- all of which are raising the challenges of cyber security to a whole new level. Recently, security researchers have offered a glimpse of potentially scary security scenarios that could unfold in the not too distant future. Here are seven that may be closer than you think.

 

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Some Guy
50%
50%
Some Guy,
User Rank: Strategist
11/6/2014 | 1:52:58 PM
NEST - just take it off the wall
Only a fool would pay to ransom their NEST. Just take it off the wall and call the FBI.

BTW, most thermostats have a thermal limit switch built into them which means your house would only go to 90-95 degrees F. Enough to boil your fish in the Aquarium, and dry out your houseplants, but that's about it.

This brings up a good point: a lot of the Internet of Things are Cyber-Physical systems and some are even Safety-Critical systems. You are dependent on the manufacturer to get it right, so caveat emptor applies here with the downside being your safety or life at risk. For example, Toyota with the uncommanded acceleration of their cars should have at least provided a mechanical on-off switch that physically removed power from the controller, rather than a momentary switch that was an input level that had to be read by the processor. (And don't even get me started on the lack of safety review or lack of validation around their immature and woefully inadequate safety-critical SW development practices. Again, caveat emptor ... really caveat.)
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
10/30/2014 | 10:20:31 PM
Re: This isn't an article at all
While the multiple page format does leave much to be desired, it's a bit harsh to call the piece worthless. It's an interesting collection of what ifs.
nheath920
50%
50%
nheath920,
User Rank: Apprentice
10/22/2014 | 1:20:35 PM
Re: This isn't an article at all
The ads are over the top. Very time-consuming to get to the actual article. I wouldn't think the advertisors would think this is an effective way to deliver their message, so in-your-face that their brand can be associated with annoyance and to be avoided.
moosemiester
100%
0%
moosemiester,
User Rank: Apprentice
10/22/2014 | 11:00:45 AM
This isn't an article at all
It's a wrapper around ads, pop-ups, and videos, forcing me to click over and over to get each paragraph and while I am trying to read it, pop ups block the copy.

Everything here was the result of a google search.  There is nothing new.  The whole thing is just clickbait.  Very dissapointing.  This used to be a good place to learn things.

 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/17/2014 | 12:20:45 PM
Re: The IOT risks are only as limited as creativity of the attackers
That commercial was what I was seeing in my minds' eye when I was writing this blog.... Yes, in the fantasy world of advertising, it all seems so right. But there is so much that can go wrong! Thanks for the ABI report...
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
10/17/2014 | 12:13:33 PM
Re: The IOT risks are only as limited as creativity of the attackers
Indeed, check out the ABI research report on cars:

https://www.abiresearch.com/market-research/product/1017985-connected-car-cybersecurity/

I think of the recent TV commercial with the young boy learning to drive with his dad, he spies a young girl walking on the street and is distracted, the car automatically applies the brakes to prevent an accident while the dad gives a knowing and stern look.  The commercial is about the automatic braking feature as a way to save lives.  Unless of course someone simply turns that feature off !  I can already see the lawsuits and headlines coming along with the human tragedy of the event itself.

Thanks for bringing all this up and hopefully getting the industry involved to solve this issue.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/17/2014 | 11:35:45 AM
Re: The IOT risks are only as limited as creativity of the attackers
@Marilyn You are exactly right, our major fear now should be the automotive industry.  We are seeing industries that traditionally do not operate on the internet entering cyberspace.  By the simple lack of experience in information security these companies are bound to make mistakes.  Just imagine the horrible possibilites of internet attached lawn mowers, Segways or baby swings.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/17/2014 | 9:00:10 AM
Re: The IOT risks are only as limited as creativity of the attackers
Totaly agreed, @Ed Telders. The worst is yet to come. The auto industry, for one, hardly has a stellar safetfy record  (Think Chrysler, GM, faulty ignition switches). With design and manufacturing cycles several years out, carmakers need to be locking down the security of networking features now for the cars we will be driving in the very near future.
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
10/16/2014 | 6:01:17 PM
The IOT risks are only as limited as creativity of the attackers
Marilyn,

This is simply another new round of rapid expansion of connectivity and internet accessible "widgets".  And it seems that like all the previous rapid expansions the first group of new "widgets" are more concerned with being first to market, and first to bring a "cool" technology to the forefront, than whether these devices are secure by design.  I suspect it will take some unfortunate and spectacular incidents to once again wake them up and start taking it seriously.  Too many times we've had to learn this lesson. 

I can think of a lot of ways that this can become serious.  All the same kinds of risks can be explored with these devices and they are only limited by the creativity of the attackers.  Simple disruption, DDOS, shut-down commands, BOTs, all sorts of malware, using these to backdoor into your network, monitoring, tracking, intellectual property theft, etc. are only the beginning.  Lets just say that a smart grid has all of the electrical usage data gets set to zero for thousands of customers, what happens to the tax revenues that are supposed to be generated by that?  What if the opposite happens, all meters show extraordinarily high electrical usage, who cleans all that up?  How about the medical device that is modified to give you too much Insulin, or changes the pacemakers control of a heartbeat.

To me the most insidious risk are those that follow the tracks of the APT attacks, slow and stealthy, undetected for extended periods of time, small but meaningful impacts across a wide range of devices and services.

This is only the beginning of this round, it will become interesting and challenging, real fast. 
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19333
PUBLISHED: 2018-11-17
pkg/sentry/kernel/shm/shm.go in Google gVisor before 2018-11-01 allows attackers to overwrite memory locations in processes running as root (but not escape the sandbox) via vectors involving IPC_RMID shmctl calls, because reference counting is mishandled.
CVE-2018-19340
PUBLISHED: 2018-11-17
Guriddo Form PHP 5.3 has XSS via the demos/jqform/defaultnodb/default.php OrderID, ShipName, ShipAddress, ShipCity, ShipPostalCode, ShipCountry, Freight, or details parameter.
CVE-2018-19327
PUBLISHED: 2018-11-17
An issue was discovered in JTBC(PHP) 3.0.1.7. aboutus/manage.php?type=action&action=add allows CSRF.
CVE-2018-19328
PUBLISHED: 2018-11-17
LAOBANCMS 2.0 allows install/mysql_hy.php?riqi=../ Directory Traversal.
CVE-2018-19329
PUBLISHED: 2018-11-17
GreenCMS v2.3.0603 allows remote authenticated administrators to delete arbitrary files by modifying a base64-encoded pathname in an m=admin&c=media&a=delfilehandle&id= call, related to the m=admin&c=media&a=restorefile delete button.