Europol warns of IoT murder and ransomware for smart cars
Europol, Europe's criminal intelligence agency, has painted a grim picture of threats that will be ushered in alongside the Internet of Things (IoT), even predicting that a death caused by an by internet-connected device may happen within the year.
Europol has warned governments to step up efforts to prepare for an onslaught of criminal activity that will emerge alongside the rise of connected objects like cars, white goods, wearables, and body implants. In a recent report, the agency urged governments to equip law enforcement agencies with the tools to investigate IoT-related crimes and policymakers to stay abreast of the latest threats to ensure the right regulations and legislation were in place to meet them.
Referencing a prediction from US security company IID that the world witness the first "murder via hacked internet-connected device" in 2014, Europol said it expects "new forms of blackmailing and extortion schemes (eg ransomware for smart cars or smart homes), data theft, physical injury and possible death, and new types of botnets."
While the predictions may sound far fetched, the late security researcher Barnaby Jack in 2011 demonstrated he could hack a diabetic insulin pump to deliver a fatal dose of the enzyme. Prior to his death last year, Jack was set to demonstrate a remotely delivered electrical shock on a pacemaker. Subsequently, former US vice president Dick Cheney revealed that doctors had ordered the wireless functionality in his pacemaker to be disabled over fears that terrorists could hack it in an assassination attempt.
In its report, Europol identifies a number of risks that are well known by security professionals, including the difficulties applying security fixes for devices, such as home routers.
Europol said that IoT, which will involve more devices, processes, and people interacting via the internet, will create a "wider attack surface and more attack vectors".
"The latter will be exacerbated by devices that are no longer supported or are so small that they do not have security built into them or were not designed with security in mind. Moreover, policy makers are often not part of the early phases either which may result in a lack of relevant legislation and regulation," the report states.
Europol doesn't explain what legislation would be suitable, however Dan Geer, security chief at the CIA's R&D firm In-Q-Tel, has pondered the subject, sharing his ideas at this year's BlackHat conference.
Legislation that could be fitting includes forcing companies that abandon a product — for example, as Microsoft has done with Windows XP — to open source the the code base. Another was requiring embedded systems to have a remote management interface so that security flaws can be fixed. If they don’t, then the devices should be made to self-destruct after a certain period.