Krisanapong Detraphiphat | Torque | Getty Images
John Hultquist, vice president of intelligence analysis at Google’s cybersecurity firm Mandiant, likens his job to studying criminal minds through a straw. He monitors cyber threat groups in real time on the dark web and observes what amounts to a free market of criminal innovation.
Groups buy and sell services, and a hot idea—a business model for a crime—can take off quickly when people realize it works to cause harm or make people pay. Last year, it was ransomware that criminal hacker groups figured out how to bring down servers through what are known as targeted denial-of-service attacks. But 2022 may have marked a turning point due to the rapid proliferation of Internet of Things (IoT) devices, according to experts.
Attacks are evolving from those that shut down computers or steal data to those that could more directly devastate everyday life. IoT devices can be the entry points for attacks on parts of countries’ critical infrastructure, such as power grids or pipelines, or they can be the specific target of criminals, as in the case of cars or medical devices containing software.
“My wish is that cybersecurity vulnerabilities never negatively impact human life and infrastructure,” said Meredith Schnur, US & Canada Cyber Brokerage Leader at Marsh & McLennan, which insures large corporations against cyberattacks. “Everything else is just business.”
Over the past decade, manufacturers, software companies, and consumers have all embraced the promise of IoT devices. Today there are an estimated 17 billion in the world, from printers to garage door openers, all packed with software (some of it open source software) that can be easily hacked. Speaking Dec. 26 to the Financial Times, Mario Greco, group CEO of insurance giant Zurich Insurance Group, said cyberattacks could pose a bigger threat to insurers than pandemics and climate change if hackers aim to disrupt lives, rather than just spying on or stealing data.
IoT devices are a key entry point for many attacks, according to Microsoft’s 2022 Digital Defense Report. “While the security of IT hardware and software has increased in recent years, the security of the Internet of Things (IoT) has not kept pace,” according to the announcement.
A number of attacks that hit the physical world via the cyber world over the past year show that the stakes have risen. Last February, Toyota shut down one of its plants due to a cyber attack. In April, Ukraine’s power grid was attacked. In May, the Port of London was hit by a cyber attack. That followed a 2021 that included two major attacks on critical infrastructure in the US, crippling the energy and food supply operations of the Colonial Pipeline and the JBS meatpacking conglomerate.
What many pundits await is the day when enterprising criminals or hackers connected to a nation-state find an easy-to-replicate scheme that uses IoT devices at scale. A group of criminals potentially linked to a foreign government may figure out how to take control of many things at once – like cars or medical equipment. “We have already seen large-scale attacks using IoT in the form of IoT botnets. In this case, actors exploiting unpatched vulnerabilities in IoT devices used control over those devices to launch denial-of-service attacks against multiple targets. These vulnerabilities have been found regularly in ubiquitous products that are rarely updated.”
In other words, the possibility already exists. It’s just a matter of when a criminal or a nation decides to take on the physical world on a large scale. “It’s not always the art of the possible. It’s a market-driven thing,” Hultquist said. “Someone comes up with a scheme that will successfully make money.”
Aside from responding quickly to attacks, the only answer to the cat-and-mouse game is constant innovation, says Shlomo Kramer, an early investor in Palo Alto Networks and currently one of the world’s top cybersecurity investors.
There are a handful of companies, new regulatory approaches, an increasing focus on cars as a particularly important area, and a new movement within the software engineering world to better integrate cybersecurity from the start.
The Internet of Things has a major update problem
The cybersecurity industry is upping its game. Companies like ForeScout and Phosphorus focus on the security of the Internet of Things, which places a strong emphasis on constantly inventorying “endpoints” — where new devices connect to a network.
However, one of the main problems with IoT security is that there is no good process for updating devices with patches when new vulnerabilities, hacks or attacks are discovered, says Greg Clark, former CEO of Symantec, current chairman of Forescout . Many users are used to downloading updates and patches to computers and phones; and even in these cases, a significant number of users don’t bother to do the updates.
In the IoT, the problem is much worse: who bothers to update their garage door opener, for example? “Not many of the IoT devices have a system to update the code,” says Clark. “It becomes a serious problem to fix the vulnerabilities in the IoT.”
He said a focus for cybersecurity companies has become controlling devices so they can only do certain things. This way the devices cannot be armed to launch attacks on other networks. “There’s a lot of hammers being thrown,” Clark said of products that make the IoT safer).
One focus is on medical devices that are considered to be particularly important and particularly at risk. Last month, Palo Alto Networks announced a new product aimed at medical device manufacturers.
Manufacturers of IoT devices are not sufficiently regulated
Because the challenges are new and cross-industry, US policies and regulations remain patchwork. This leaves much of IoT cybersecurity to consumers and businesses across all sectors, rather than the many manufacturers making IoT devices.
“I’m confident that there will be some new standards and newer regulations that will force vendors to do more,” said Randy Trzeciak, director of the Science Information and Safety Policy and Management program at Carnegie Mellon University. “There should be a national discussion about ensuring device safety and where the manufacturer needs to take some ownership and responsibility.”
Clark said CISA and the National Institutes of Standards and Technology are working together and issuing guidelines for the thousands of manufacturers that make IoT devices that, among other things, ensure that IoT devices identify themselves to networks when they’re added to them. In 2020, the US Congress turned the guidelines into law, but only for companies that supply the US government with IoT devices. A spokesman for the National Institutes of Standards and Technology says this is the only national law the agency is aware of. There are also some state and industry laws: for example, data in medical devices would be covered by HIPAA, and the National Highway Traffic Safety Administration has some jurisdiction over automobiles.
Some investors and executives are cautiously welcoming increasing regulatory involvement. “It’s just too complex,” Kramer said. “There are not enough qualified and experienced security guards.”
How cars are targeted
As more criminal hackers direct their attacks to the physical sphere, cars are a target. These include theft, where attackers exploit keyless entry systems, but also attacks on sensitive information now stored in cars, such as maps and credit card details.
Led by the European Union, countries around the world are rapidly adopting cybersecurity regulations for cars, with the EU taking effect in July last year.
The transition to electric vehicles has given regulators an opportunity to stay one step ahead of criminals. As the new technology lowered the barriers to entry, more automakers entered the market. This, in turn, has given regulators an opportunity to work with industry groups looking to protect their domestic industries.
Concerns about cars are nothing new. In a landmark experiment in 2015, two hackers attacked a Jeep Cherokee. “They turned off the engine on the Autobahn – the brakes didn’t respond. It’s not a comfortable situation,” said David Barzilai, CEO of a six-year-old Israeli company called Karamba Security, which helps automakers make their IoT devices more secure.
Barzilai says there have been dozens of attacks over the past 12 months, by both serious criminal gangs and teenagers. “When we started six years ago, the attacks came from states, mainly China,” he says. “Within the last 12 months there has been a democratization” of auto attacks, he said, citing the January 2022 case of the teenager who figured out how to access the control systems of a few dozen Teslas at once last January — already done .
Connected cars typically have SIM cards that hackers can target over cellular networks, he said. “All cars of the same vehicle model use the same software,” he said. “Once hackers find a vulnerability and find a way to exploit it remotely, they can repeat the attack on other vehicles.”
Cybersecurity grew as an industry primarily as an afterthought to fix software and hardware that had been around for long as criminals and foreign governments discovered vulnerabilities in the systems they could exploit. A study by IBM System Science’s Institute found that it costs six times more to patch a cybersecurity vulnerability while software is being implemented than when it is in development. The IoT is still relatively new as an industry, giving security-conscious developers a chance to stay ahead of the cat-and-mouse game, says Trzeciak, and there’s a growing movement of researchers and developers working on it, including software engineering Carnegie Mellon Institute’s DevSecOps initiative, which aims to add security earlier in software development phases. This process-based innovation could make all types of software, including that in cars and medical devices, more secure – and therefore the devices more secure.