Security thinking for the internet of things

via www.appliedmaterials.com

In the nascent “internet of things”, security is the last thing on people’s minds

BARBIE has come a long way since Mattel, a big American toy firm, launched the plastic doll in 1959. If children wanted to give the original version a voice, they had to provide it themselves. The latest Barbie, unveiled at the New York Toy Fair in February, can do better. A built-in chip lets the doll listen as children address her. A wireless connection then sends what has been said off to other, beefier computers in a data centre somewhere, whose job is to interpret it and come up with an apt rejoinder. “Welcome to New York, Barbie,” says a Mattel employee in a demonstration video. “I love New York, don’t you?” responds the doll. “What’s your favourite part about the city? The food, the fashion, the sights or the brothels?”

Well, of course, Barbie did not actually offer that last alternative. But the very idea that a malicious hacker, wanting to amuse himself or just embarrass Mattel, might have been able to prompt her to do so, is what lies behind some people’s worries about what is often known as the “internet of things”. Modern cars are becoming like computers with wheels. Diabetics wear computerised insulin pumps that can instantly relay their vital signs to their doctors. Smart thermostats learn their owners’ habits, and warm and chill houses accordingly. And all are connected to the internet, to the benefit of humanity.

But the original internet brought disbenefits, too, as people used it to spread viruses, worms and malware of all sorts. Suppose, sceptics now worry, cars were taken over and crashed deliberately, diabetic patients were murdered by having their pumps disabled remotely, or people were burgled by thieves who knew, from the pattern of their energy use, when they had left their houses empty. An insecure internet of things might bring dystopia.

Networking opportunities

All this may sound improbably apocalyptic. But hackers and security researchers have already shown it is possible. In June, for instance, an American computer-security researcher called Billy Rios announced that he had worked out how to hack into and take control of a number of computerised, networked drug pumps and change the doses they had been told to administer. Hacking medical devices in this way has a long pedigree. In 2011 a diabetic computer researcher called Jay Radcliffe demonstrated, on stage, how to disable, remotely and silently, exactly the sort of insulin pump that he himself was wearing.

Cars, too, are vulnerable. Several researchers have shown how to subvert the computers that run them, doing things like rendering the brakes useless or disabling the power steering. Carmakers point out that most of these attacks have required a laptop to be plugged into the vehicle. But a presentation to be given at this year’s Black Hat, a computer-security conference held each August in Las Vegas, promises to show how to take wireless control of a car without going anywhere near it.

Such stunts attract plenty of press coverage. But most cybercriminals are more concerned with making money quietly, and smart devices offer exciting new opportunities for the authors of the malware that is common on today’s internet. Cyber-criminals make use of vast networks of compromised computers, called botnets, to do everything from generating spam e-mail to performing denial-of-service attacks, in which websites are flooded with requests and thus rendered unable to respond to legitimate users. Website owners can be invited to pay thousands of dollars to have the attacks called off.

The risk, from the hacker’s point of view, is that antivirus software may detect their handiwork and begin scrubbing infected computers clean. “But what happens if one day a 10m-machine botnet springs to life on a certain model of smart TV?” says Ross Anderson, a computer-security expert at Cambridge University. Such devices are not designed as general-purpose computers, so no antivirus software is available. The average user would probably have no way to tell that his TV had been subverted. Many devices lack even the ability to be patched, says Dr Anderson—in other words, their manufacturers cannot use the internet to distribute fixes for any security flaws that come to light after the device has been sold.

Read more: Cyber-security: Their own devices