The first big Internet of Things security breach is just around the corner

A huge security breach traced back to an unsecured IoT device will happen within the next two years, warn security experts.
Written by Danny Palmer, Senior Writer

Your IoT kettle alone might not be an interesting target for hackers, but if they can use it to get into the rest your network...

Image: iStock

There was a time when the only device you had connected to your network was a PC. Then laptops with a wireless connection came along -- then after that, smartphones and tablets.

But the connected revolution hasn't ended there. Gartner estimates that currently 5.5 million new 'things' -- devices from toasters and kettles to cars and hospital equipment -- are being connected to the internet every single day, and they will total 6.4 billion by the end of the year.

That figure is up from 3.8 billion in 2014, and 5 billion in 2015 and is expected to rise to over 20 billion Internet of Things (IoT) devices being connected to the web in 2020.

The idea of automating systems by connecting them to the internet sounds like a good idea in theory, but it also risks creating a huge security headache, security researchers warn.

"IoT devices are coming in with security flaws which were out-of-date ten years ago you wouldn't dream of seeing on a modern PC," says James Lyne, global head of security research at Sophos.

The only reason these flaws aren't being exploited right now is that hackers currently have little interest, even though these devices are "trivial" to attack, he said. But don't get too comfortable.

"Very soon, we're likely to see a big breach. It's quite probable that some really shiny, cool, new product is going to come along in the next year which will see massive adoption by consumers and enterprises. When that happens, I think attacker interest will rise," he continued, adding "the speed of that market means we're building up to that moment."

Lyne isn't the only one who believes a big IoT security breach is coming: cybersecurity expert Bruce Schneier also fears that one is coming sooner rather than later -- and that connected cars could be a particularly dangerous target.

"When you start thinking about a car, you quickly realise the integrity and vulnerability threats are much worse than confidentiality threats and there's real risks to life and property here," he said, speaking at the recent InfoSecurity Europe conference in London.

It would be bad if someone used the systems in a connected car to carry out surveillance on the driver or passengers he said: "But it'd be really bad if they could disable the brakes. It'd be really bad -- and it'll happen in a year or two -- when someone figures out how to apply ransomware to the CPUs of cars. That's not going to be fun, but as long as there are computers it'll happen".

It's not just a headache for consumers: an infected IoT device on a corporate network could potentially be a doorway for hackers.

"Maybe that wireless kettle isn't an interesting target, but if it helps you see across to the PC where all the goodies are, that matters," says Lyne at Sophos.

Schneier argues that the fact everything is getting connected to the internet adds additional danger to society as a whole.

"There's a numbers game going on here, as the effectiveness of the criminal gets greater, society can afford fewer and fewer of them until it gets so dangerous you just need more security than you can afford," he argued, adding that soon this will reach a "tipping point" of no return.

He said as dams and power plants go on the internet, as our homes, cars, cities, governments go on the internet, there's much more of a worry of a catastrophic risk.

"That's the too big to fail problem -- our systems are getting so big that we can't afford a single failure and that's going to happen soon. It's too big to fail because the attackers are too powerful to be allowed to succeed," Schneier says.

Given how experts have repeatedly warned IoT devices do pose a potentially huge security risk, why isn't more care being taken by those producing and selling them? That's largely because the IoT is so new that standards don't exist and vendors are reluctant to spend money on security for products that might not take off anyway.

But there's a fundamental problem with this strategy in that in order bolster the security of devices, updates need to be provided by patches -- and they're either applied by downloads or through replacing the device. For many IoT devices, Schneier argues, neither of these approaches is realistic.

"As we me move to the Internet of Things we're going to have a bigger problem; because right now, the way you patch your router is to throw it away and buy a new one -- that's the patch path.

"A lot of our systems, like phones, are patched all the time, but a lot of the security comes from the fact we get a new one every 18 months, we get a laptop every two years. That allows us to get better," he says.

But a problem arises when items like home appliances, corporate devices, and vehicles can't be treated in this way because they're too expensive and impractical to regularly replace.

"That's going to be a big problem. The home appliance market isn't the same as the consumer electronics market; it's different economics, different life cycles which our security life cycle doesn't match well with," Schneier said, warning, "We're not going to be able to live in a world where to update your [internet-connected] defibrillator you need to open up your body and put in a new one."

Lyne doesn't hold back on what he thinks about the current "build it and ship" mentality of many IoT device developers; "To say there's little consideration given to security is an understatement; in many cases there a lack of consideration for security."

"Vendors should be held to higher standards," he said.


Editorial standards