Once upon a time, ‘housejacking’ meant simply raising a house up on pneumatic jacks to get to the foundations underneath. With increasingly interconnected houses and the rise of the Internet of Things (IoT), it is starting to mean something else entirely. How safe can we be when even our fridge can be hacked? And what about when we take to the road?
The Internet of Things is coming, no doubt about that. Defined succinctly by Gartner as the “network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment,” the IoT represents the physical embodiment of our increasingly connected society. Futurologists have long talked of fridges that will automatically place food orders at supermarkets if you run low on key items, and there are already plenty of smart home installation solutions on the market that will regulate a building’s heating for its residents; turning up radiators, opening windows, drawing blinds depending on the who is in the room, what the outside and ambient temperatures are, and a host of other criteria.
The sense is that we are in the foothills of a whole new exciting era with the IoT stretching before us. Analysts agree too. Gartner again says that 6.4bn connected objects will be in use by the end of 2016, a 30% rise on last year, with 4bn of them in the domestic space. What’s more, that domestic figure will jump to 13.5bn ‘things’ by 2020 (20.8bn in all), representing an overall yearly consumer spend of $1.5 trillion ($3 trillion overall).
Over the course of this current year, 5.5m new ‘things’ will get connected to the internet every day.
The numbers are astonishing. What’s more they are at the low end of projections too. Bell Labs President Marcus K Weldon writing in ‘The Future X Network: A Bell Labs Perspective’ suggests there will be as many as 500 IoT devices per household in the same timeframe and a total number as high as 60bn.
His very next phrase is the key here though: “The attack surface is massive.”
Weldon cites a much quoted 2014 HP survey that found that 70% of IoT devices were vulnerable to attack and that it had found 250 security flaws in ten of the most popular IoT devices. We’ve mentioned it too (see the third story in Hot TV News: Mobile Video Growth, Sky Q Launches; and Security Worries for the IoT) alongside a noted security risk in webcams using the Real Time Streaming Protocol port 554 that was allowing remote access from pretty much anywhere, and the fact that in 2015 the US Federal Trade Commission issued guidelines to IoT companies which recommended that they “build security into devices at the outset, rather than as an afterthought in the design process.”
Of course, this isn’t just about people hacking into baby monitors, worrying though that is; the stakes can be even higher. Cisco has an interesting IoT Security timeline graphic that details some of the headline industrial security threats so far this century. What’s interesting is how they progress from broad spectrum, such as exposure to viruses and worms, to deliberate attacks on control systems. What’s worrying is that it includes attacks on public transport systems, and even safety systems failures in nuclear power plants.
Taking the IoT Mobile
The new frontier is the automobile, as the following video, Hackers Remotely Kill a Jeep on the Highway—With Me in It, shows.
Cars, of course, have become increasingly sophisticated devices over recent years. If you have bought a new car at any time in the past couple of years you will have noticed that the driving aids you get in even the medium range models are getting more and more advanced. From adaptive cruise control that matches your speed to the cars in front, to lane departure warnings that alert you with tiny tugs on the steering wheel if you're dragging across land dividers, to parking assist that can squeeze your vehicle precisely into a space not much larger than it is, the new tools use computer algorithms to process images from onboard video cameras and react accordingly.
They are also becoming steadily more connected. Another Gartner estimate is that one in five vehicles on the road worldwide will be connected by 2020, representing 250m vehicles.
Given the vulnerabilities already detected in the IoT, these represent a huge security and safety risk, especially as we move into a future of over-the-internet upgrades that are designed to affect the performance of the vehicle. Tesla, for example, revealed as far back as 2014 that it can diagnose vehicle faults and send software upgrades to connect them when the vehicle is parked (and indeed did so with around 30,000 vehicles, avoiding an expensive recall).
It did this in the same way that mobile phone companies provide upgrades. Does that mean that vehicles as well should deploy the same Trusted Execution Environments (TEEs) that ensure mobile phone security, isolating the increasingly capable vital onboard systems from the rest of the network? Or are there other security measures that can be taken to make sure the ECU (Engine Control Unit) remains inviolate even as we chart a course to the 5G and uber-connected future?
Either way, with so many connected vehicles about to hit the roads and new driving aides leading to those same vehicles being increasingly autonomous (Juniper Research predicts 20m autonomous vehicles on the world’s roads by as early as 2025), answering those questions is becoming a more pressing issue with each passing month.