Attendees at the DEF CON security conference in Las Vegas last week hacked into voting machines, including this model last used in the mid-2000s. Blake Sobczak/E&E News
What do a car wash, a smart meter and a voting machine have in common?
They can all be hacked.
While most devices built on computer code can be broken, researchers at last weekend’s DEF CON security conference in Las Vegas said fixing a hacked device has separate challenges. That creates big headaches for operators of critical U.S. infrastructure, including the electric grid, as connected devices fill every corner of modern life.
Jeff Debrosse, founder and CEO of NXT Robotics Corp., which provides robots for data centers and energy companies, said the threat of rogue devices is growing. “The internet is going to be swamped.”
Debrosse told E&E News his robotic brainchild, modeled after a Mars rover, is designed to be a “series of connected devices,” including cameras, motion sensors and a microphone.
“Unfortunately, the smallest devices just can’t be updated, so [security] is going to have to happen in the network,” he said, noting that he has added encryption to the communications protocol used by his own product, among other measures. “As a community, we have to figure out how to get that done, because it’s coming our way.”
The U.S. East Coast caught a glimpse of that dire future last fall, when attackers drew on raw computing power from thousands of hacked electronics to briefly knock down a core pillar of the internet. That “distributed denial-of-service” attack hobbled Dyn, a company that routes traffic to popular sites like Twitter and Grubhub (Energywire, Oct. 25, 2016).
With Dyn offline, casual web users were effectively blocked from reaching swaths of the internet.
“The internet of things terrifies me,” said Craig Williams, senior technical leader and outreach manager for Cisco Talos, part of Cisco Systems Inc. “There is no quick solution. We’ve got devices out there now that are going to be vulnerable, that will have no company around to patch them.”
The potential for thousands or even millions of hacked devices to be bundled together in a “botnet” for cyberattacks has set off alarm bells at government agencies and private companies.
When the powerful Mirai botnet of hacked cameras hit cybersecurity journalist Brian Krebs’ website last September, power grid operators took note. The North American Electric Reliability Corp. published a rare warning about growing risks posed by the “internet of things.”
The subsequent attack on Dyn drove home the danger to utility executives eager to avoid seeing their own “smart” electronics drafted into some hacker’s army.
This outdoor security robot from NXT Robotics is an “internet of things” amalgam stitched together with cameras, microphones and digital sensors. Blake Sobczak/E&E News
Energy companies have separately turned to the “industrial internet of things” for efficiency gains in operational networks, though so-called IIoT technologies can carry many of the same security flaws as their consumer-grade counterparts.
“If you are going toward the new concepts for example, ‘industry 4.0’ or ‘IIoT’ or whatever well, you have to do it right,” said Vladimir Dashchenko, senior security researcher on the critical infrastructure defense team at Russia-based cybersecurity firm Kaspersky Lab.
In a presentation at DEF CON’s “IoT Village,” Dashchenko laid out bugs he found in several IIoT software products used in multiple sectors and potentially “thousands” of control system environments. As he spoke, hackers at the back of the conference room competed to find faults in everything from smart refrigerators to drones.
Rep. Will Hurd (R-Texas), who visited DEF CON with his colleague Rep. Jim Langevin (D-R.I.) on the House Homeland Security Committee, stopped by the IoT Village and the neighboring “Industrial Control Systems” Village, the latter replete with a home-hacking contest and a realistic mockup of a chemical plant.
“One of the things that I learned is the length of time that these critical components within critical infrastructure are in place,” Hurd said on the sidelines of the conference. “These things are designed to last for 20, 30 years. It’s just one more thing that you have to take into account.”
Eventually, cyberthreats will outpace even well-crafted, internet-of-things devices, according to Katie Moussouris, founder and CEO of Luta Security.
“Old hardware can’t keep up with newer security technologies,” Moussouris said.
That raises a thorny question for policymakers and IoT companies: Where do they go to die, when it’s appropriate for them to die from a security standpoint?
For many IoT systems, there is no simple “off” switch to prevent them from being exploited for eventual use in wide-scale cyberattacks like the ones on Dyn and Brian Krebs. The devices may continue to beacon out to the internet long after their useful life, waiting to be hijacked.
Joseph Mlodzianowski, vice president of training firm Aries Security, deliberately connected IoT devices to the hostile WiFi networks at DEF CON as an invitation for hackers to try their hand. His “sheep city” in the conference’s Packet Hacking village included a connected train system, garage door opener and a smart meter that, when hacked, shut off lights to half of the model town.
“All IoT devices lack security,” Mlodzianowski said, adding that his mantra is, “you can’t spell ‘idiot’ without ‘IoT.'”
Policymakers have tried to address some of the security problems plaguing the IoT space. At least nine federal agencies, from the Federal Trade Commission to Department of Homeland Security, have offered some level of IoT-related guidance, “often on data security and privacy,” according to a recent report from the Government Accountability Office.
Congress has also taken note. Hurd told a crowd of DEF CON attendees Sunday that he would push for a hearing on IoT, particularly as “smart” and autonomous vehicles start to become a reality.
“Connected cars is the subsection of IoT that most members [of Congress] can wrap their heads around,” Hurd told a crowd of DEF CON attendees Sunday. “We all know we have to bake in security.”
Hurd alluded to the early development of the internet, when technologists spared little thought to how their small, trusted network could be abused by hackers. “Let’s not make those same mistakes when it comes to IoT,” he said.
Moussouris, of Luta Security, suggested Congress could consider offering tax credits to organizations that lay out concrete steps to address IoT cybersecurity.
“Every single manufacturer or writer of open-source software that goes into a device be it car, medical device, or [other] IoT has to have an ability to find and fix vulnerabilities and has to have a process to handle the discovery of new vulnerabilities,” she said.
Moussouris acknowledged that small manufacturers may be tempted to cut corners on security, given tight budgets and tough competition.
“They are, unfortunately, relearning old history lessons in security architecture and response,” she said. “But on the other hand, if we bog [IoT firms] down with overly heavy regulations, we stifle innovation, so we have an economic responsibility to balance that out.”
- Internet Security with Xfinity - Norton Security Online - June 17th, 2018
- Best Internet Security Software Compared - May 25th, 2018
- Computer and internet security software Chili Security - May 21st, 2018
- Internet Security Market Size, Share and Technology, 2021 - May 21st, 2018
- Center for Internet Security - Wikipedia - May 10th, 2018
- Download Webroot SecureAnywhere Antivirus & Internet ... - May 1st, 2018
- AVG Internet Security 2018 review | Ultimate antivirus ... - April 29th, 2018
- The Internet Security Academy - SAHCOM Technologies LLP - April 27th, 2018
- These files can't be opened. Your Internet security ... - April 20th, 2018
- How to Uninstall Norton Internet Security: 12 Steps - April 20th, 2018
- Internet Security Software at Office Depot OfficeMax - April 19th, 2018
- Why is Internet security important? | Reference.com - March 26th, 2018
- AVG Internet Security Unlimited 2018 18.2.3827 20% OFF ... - March 25th, 2018
- Trend Micro Titanium Internet Security - Download - March 21st, 2018
- Kaspersky Mobile Antivirus: AppLock & Web Security ... - March 21st, 2018
- Why do I Need Internet Security - The High Tech Society - March 21st, 2018
- Cincinnati Bell - Other Services Support - March 21st, 2018
- Internet Security Essentials for Business 2.0 | U.S ... - March 21st, 2018
- ESET Internet Security 10.0.386.0 Crack + License Keys ... - March 21st, 2018
- Privacy and Security in the Internet Age | WIRED - March 19th, 2018
- News & Events | K9 Web Protection - Free Internet Filter ... - March 19th, 2018
- 10 Internet Security Programs (for Windows), Ranked Best ... - March 7th, 2018
- AVG Internet Security 2015 Free Download - getintopc.com - March 3rd, 2018
- McAfee Internet Security Download - softpedia.com - February 28th, 2018
- COMODO Internet Security Download - softpedia.com - January 30th, 2018
- Best Internet Security Software 2018 - The best rated ... - January 28th, 2018
- Comodo Antivirus - Best Virus Removal Software 2018 - January 13th, 2018
- ZoneAlarm Antivirus Software | Virus Protection & Firewall - January 13th, 2018
- What Is the Meaning of Internet Security? | Techwalla.com - January 12th, 2018
- Download Avast Internet Security 17.7.2314 - FileHippo.com - January 12th, 2018
- Vipre Antivirus VIPRE Internet Security - January 12th, 2018
- AVG Internet Security 2018 License Key With Crack Full Version - January 8th, 2018
- CA Internet Security Suite Plus - Download - December 27th, 2017
- Collaborative Security: An approach to tackling Internet ... - December 27th, 2017
- Norton Internet Security - Download - December 20th, 2017
- Best Internet Security 2017 - Total Security Software for ... - December 20th, 2017
- Get the Best Internet Security Software of 2016! - December 20th, 2017
- Internet Security Administrator: Job Description and Requirements - December 19th, 2017
- Top 10 Cheap Antivirus and Internet Security Protection for ... - December 19th, 2017
- Download AVG Internet Security Unlimited - FileHippo.com - December 19th, 2017
- Norton Internet Security - softpedia.com - December 19th, 2017
- Internet Security - Cisco - December 19th, 2017
- Best Antivirus Software, Internet Security & Malware Removal - December 19th, 2017
- internet security | eBay - October 26th, 2017
- Avast Internet Security Download - softpedia.com - October 20th, 2017
- Internet Security Software | Trend Micro - October 3rd, 2017
- Lenovo Faces No Significant Penalty for Security-Destroying Superfish Debacle - ExtremeTech - September 7th, 2017
- 25% Upside Seen In Palo Alto, Argus Research Upgrades To Buy - Benzinga - September 5th, 2017
- How to: Your essential guide to internet security - PC Authority - September 5th, 2017
- Internet security startup founded by former CIA analyst raises $40 million - San Francisco Business Times - September 2nd, 2017
- CyberRehab's mission? To clean up the internet, one ASN block at a time - The Register - September 2nd, 2017
- Kaspersky Lab launched updated versions of Kaspersky Internet ... - Software Testing News - September 1st, 2017
- Cloud-based CAE HPC Partnership Focuses on Speed and Security of Data Transfer - ENGINEERING.com - September 1st, 2017
- China's cybersecurity law grants government 'unprecedented' control over foreign tech - The Register - September 1st, 2017
- Symantec CEO Sees Broad-Based Internet Security Threats - Bloomberg - August 31st, 2017
- Expert warns sexting is seen as normal by many young people - Evening Echo Cork - August 31st, 2017
- Internet Explorer - Wikipedia - August 30th, 2017
- Your essential guide to internet security - IT PRO - August 30th, 2017
- DUO to increase student internet security - The Crimson While - August 30th, 2017
- Online threats lead to real-world harm, say security experts - CNBC - August 30th, 2017
- Net neutered: When ISPs like Comcast crash the cloud - ZDNet - August 30th, 2017
- Upgrade your internet security with Private Internet Access VPN ... - Popular Science - August 28th, 2017
- Internet 101 Survey results show disconnect between confidence and Internet user knowledge - TechSpot - August 28th, 2017
- Leak of >1700 valid passwords could make the IoT mess much worse - Ars Technica - August 27th, 2017
- How to Choose the Best Internet Security Software? | Bdaily - Bdaily - August 25th, 2017
- China overtakes Belgium on world innovation index - TechNode (blog) - August 25th, 2017
- Zephyr Cove internet security company enters into Paten Standstill Agreement - Northern Nevada Business Weekly - August 25th, 2017
- Internet key to farm security, farmer Bruce Crafter says at Farm Security and Farmers Health Expo in Bendigo - Bendigo Advertiser - August 25th, 2017
- Q2 2017 Akamai State Of The Internet / Security Report Analyzes Re-Emergence Of PBot Malware; Domain Generation ... - PR Newswire (press release) - August 25th, 2017
- OneLogin is Changing How We Think About Internet Security - HiTechChronicle - August 25th, 2017
- Q2 2017 Akamai State Of The Internet / Security Report Analyzes Re-Emergence Of PBot Malware; Domain Generation ... - GuruFocus.com - August 23rd, 2017
- Getting serious about research ethics: Security and Internet Measurement - Freedom to Tinker - August 23rd, 2017
- Dozens of pro-Trump rallies retreat to internet, insist it's not due to poor attendance - Mashable - August 22nd, 2017
- Ransomware Victims Pay Much More Than Just the Ransom - eWeek - August 22nd, 2017
- A Very Dumb Mistake Costs Cryptocurrency Investors Big Time - WIRED - August 22nd, 2017
- WomensLaw.org | Internet Security - August 20th, 2017
- Facebook Awards $100K for Spear Phishing Security Research - eWeek - August 19th, 2017
- Resilience, Emergencies and the Internet: Security In-Formation - Peace Research Institute Oslo (PRIO) (press release) - August 18th, 2017
- LIBTELCO Hosts First Cyber Security Confab - Liberian Daily Observer - August 18th, 2017
- Free or hate speech? Silicon Valley searches for proper line - CBS News - August 18th, 2017