Perimeter

10/16/2014
01:50 PM
Marilyn Cohodas
Marilyn Cohodas
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

The Internet of Things: 7 Scary Security Scenarios

The IoT can be frightening when viewed from the vantage point of information security.
Previous
1 of 8
Next

What's not to like about the Internet of Things? You drive to work in your connected car while the GPS automatically navigates you away from a traffic jam that would have parked you on the expressway for two hours. At the same time, your onboard messaging app reads you an email from your boss telling you that you've earned a 10% raise for your big project.

The nightmare scenario might look like this. You take a taxi home after work because a hacker breaks into your car's WiFi, takes control of the steering wheel, and crashes you into a tree. When you arrive, you are greeted with a strangely worded email asking for a ransom in exchange for the return of an embarrassing photo of you at a recent party you thought was beyond reach and securely hidden in your camera roll in the cloud.

Love it or fear it, the Internet of Things is fast becoming a reality. By the year 2020, the analyst firm Gartner predicts, there will be more than 26 billion Internet-connected "things" -- not including PCs, tablets, or smartphones -- all of which are raising the challenges of cyber security to a whole new level. Recently, security researchers have offered a glimpse of potentially scary security scenarios that could unfold in the not too distant future. Here are seven that may be closer than you think.

 

Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Some Guy
50%
50%
Some Guy,
User Rank: Strategist
11/6/2014 | 1:52:58 PM
NEST - just take it off the wall
Only a fool would pay to ransom their NEST. Just take it off the wall and call the FBI.

BTW, most thermostats have a thermal limit switch built into them which means your house would only go to 90-95 degrees F. Enough to boil your fish in the Aquarium, and dry out your houseplants, but that's about it.

This brings up a good point: a lot of the Internet of Things are Cyber-Physical systems and some are even Safety-Critical systems. You are dependent on the manufacturer to get it right, so caveat emptor applies here with the downside being your safety or life at risk. For example, Toyota with the uncommanded acceleration of their cars should have at least provided a mechanical on-off switch that physically removed power from the controller, rather than a momentary switch that was an input level that had to be read by the processor. (And don't even get me started on the lack of safety review or lack of validation around their immature and woefully inadequate safety-critical SW development practices. Again, caveat emptor ... really caveat.)
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
10/30/2014 | 10:20:31 PM
Re: This isn't an article at all
While the multiple page format does leave much to be desired, it's a bit harsh to call the piece worthless. It's an interesting collection of what ifs.
nheath920
50%
50%
nheath920,
User Rank: Apprentice
10/22/2014 | 1:20:35 PM
Re: This isn't an article at all
The ads are over the top. Very time-consuming to get to the actual article. I wouldn't think the advertisors would think this is an effective way to deliver their message, so in-your-face that their brand can be associated with annoyance and to be avoided.
moosemiester
100%
0%
moosemiester,
User Rank: Apprentice
10/22/2014 | 11:00:45 AM
This isn't an article at all
It's a wrapper around ads, pop-ups, and videos, forcing me to click over and over to get each paragraph and while I am trying to read it, pop ups block the copy.

Everything here was the result of a google search.  There is nothing new.  The whole thing is just clickbait.  Very dissapointing.  This used to be a good place to learn things.

 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/17/2014 | 12:20:45 PM
Re: The IOT risks are only as limited as creativity of the attackers
That commercial was what I was seeing in my minds' eye when I was writing this blog.... Yes, in the fantasy world of advertising, it all seems so right. But there is so much that can go wrong! Thanks for the ABI report...
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
10/17/2014 | 12:13:33 PM
Re: The IOT risks are only as limited as creativity of the attackers
Indeed, check out the ABI research report on cars:

https://www.abiresearch.com/market-research/product/1017985-connected-car-cybersecurity/

I think of the recent TV commercial with the young boy learning to drive with his dad, he spies a young girl walking on the street and is distracted, the car automatically applies the brakes to prevent an accident while the dad gives a knowing and stern look.  The commercial is about the automatic braking feature as a way to save lives.  Unless of course someone simply turns that feature off !  I can already see the lawsuits and headlines coming along with the human tragedy of the event itself.

Thanks for bringing all this up and hopefully getting the industry involved to solve this issue.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/17/2014 | 11:35:45 AM
Re: The IOT risks are only as limited as creativity of the attackers
@Marilyn You are exactly right, our major fear now should be the automotive industry.  We are seeing industries that traditionally do not operate on the internet entering cyberspace.  By the simple lack of experience in information security these companies are bound to make mistakes.  Just imagine the horrible possibilites of internet attached lawn mowers, Segways or baby swings.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/17/2014 | 9:00:10 AM
Re: The IOT risks are only as limited as creativity of the attackers
Totaly agreed, @Ed Telders. The worst is yet to come. The auto industry, for one, hardly has a stellar safetfy record  (Think Chrysler, GM, faulty ignition switches). With design and manufacturing cycles several years out, carmakers need to be locking down the security of networking features now for the cars we will be driving in the very near future.
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
10/16/2014 | 6:01:17 PM
The IOT risks are only as limited as creativity of the attackers
Marilyn,

This is simply another new round of rapid expansion of connectivity and internet accessible "widgets".  And it seems that like all the previous rapid expansions the first group of new "widgets" are more concerned with being first to market, and first to bring a "cool" technology to the forefront, than whether these devices are secure by design.  I suspect it will take some unfortunate and spectacular incidents to once again wake them up and start taking it seriously.  Too many times we've had to learn this lesson. 

I can think of a lot of ways that this can become serious.  All the same kinds of risks can be explored with these devices and they are only limited by the creativity of the attackers.  Simple disruption, DDOS, shut-down commands, BOTs, all sorts of malware, using these to backdoor into your network, monitoring, tracking, intellectual property theft, etc. are only the beginning.  Lets just say that a smart grid has all of the electrical usage data gets set to zero for thousands of customers, what happens to the tax revenues that are supposed to be generated by that?  What if the opposite happens, all meters show extraordinarily high electrical usage, who cleans all that up?  How about the medical device that is modified to give you too much Insulin, or changes the pacemakers control of a heartbeat.

To me the most insidious risk are those that follow the tracks of the APT attacks, slow and stealthy, undetected for extended periods of time, small but meaningful impacts across a wide range of devices and services.

This is only the beginning of this round, it will become interesting and challenging, real fast. 
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Ohio Man Sentenced To 15 Months For BEC Scam
Dark Reading Staff 8/20/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10902
PUBLISHED: 2018-08-21
It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possib...
CVE-2018-10932
PUBLISHED: 2018-08-21
lldptool version 1.0.1 and older can print a raw, unsanitized attacker controlled buffer when mngAddr information is displayed. This may allow an attacker to inject shell control characters into the buffer and impact the behavior of the terminal.
CVE-2018-15660
PUBLISHED: 2018-08-21
** DISPUTED ** An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions, then the attacker can read certain Ola Money data such as a credit card number, expiration date, bank account numbe...
CVE-2018-15661
PUBLISHED: 2018-08-21
** DISPUTED ** An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions and the ability to read SMS messages, then the Forgot Password screen can be used to bypass authentication. NOTE: th...
CVE-2018-15481
PUBLISHED: 2018-08-21
Improper input sanitization within the restricted administration shell on UCOPIA Wireless Appliance devices using firmware version 5.1.x before 5.1.13 allows authenticated remote attackers to escape the shell and escalate their privileges by adding a LocalCommand to the SSH configuration file in the...