Attendees at the DEF CON security conference in Las Vegas last week hacked into voting machines, including this model last used in the mid-2000s. Blake Sobczak/E&E News
What do a car wash, a smart meter and a voting machine have in common?
They can all be hacked.
While most devices built on computer code can be broken, researchers at last weekend’s DEF CON security conference in Las Vegas said fixing a hacked device has separate challenges. That creates big headaches for operators of critical U.S. infrastructure, including the electric grid, as connected devices fill every corner of modern life.
Jeff Debrosse, founder and CEO of NXT Robotics Corp., which provides robots for data centers and energy companies, said the threat of rogue devices is growing. “The internet is going to be swamped.”
Debrosse told E&E News his robotic brainchild, modeled after a Mars rover, is designed to be a “series of connected devices,” including cameras, motion sensors and a microphone.
“Unfortunately, the smallest devices just can’t be updated, so [security] is going to have to happen in the network,” he said, noting that he has added encryption to the communications protocol used by his own product, among other measures. “As a community, we have to figure out how to get that done, because it’s coming our way.”
The U.S. East Coast caught a glimpse of that dire future last fall, when attackers drew on raw computing power from thousands of hacked electronics to briefly knock down a core pillar of the internet. That “distributed denial-of-service” attack hobbled Dyn, a company that routes traffic to popular sites like Twitter and Grubhub (Energywire, Oct. 25, 2016).
With Dyn offline, casual web users were effectively blocked from reaching swaths of the internet.
“The internet of things terrifies me,” said Craig Williams, senior technical leader and outreach manager for Cisco Talos, part of Cisco Systems Inc. “There is no quick solution. We’ve got devices out there now that are going to be vulnerable, that will have no company around to patch them.”
The potential for thousands or even millions of hacked devices to be bundled together in a “botnet” for cyberattacks has set off alarm bells at government agencies and private companies.
When the powerful Mirai botnet of hacked cameras hit cybersecurity journalist Brian Krebs’ website last September, power grid operators took note. The North American Electric Reliability Corp. published a rare warning about growing risks posed by the “internet of things.”
The subsequent attack on Dyn drove home the danger to utility executives eager to avoid seeing their own “smart” electronics drafted into some hacker’s army.
This outdoor security robot from NXT Robotics is an “internet of things” amalgam stitched together with cameras, microphones and digital sensors. Blake Sobczak/E&E News
Energy companies have separately turned to the “industrial internet of things” for efficiency gains in operational networks, though so-called IIoT technologies can carry many of the same security flaws as their consumer-grade counterparts.
“If you are going toward the new concepts for example, ‘industry 4.0’ or ‘IIoT’ or whatever well, you have to do it right,” said Vladimir Dashchenko, senior security researcher on the critical infrastructure defense team at Russia-based cybersecurity firm Kaspersky Lab.
In a presentation at DEF CON’s “IoT Village,” Dashchenko laid out bugs he found in several IIoT software products used in multiple sectors and potentially “thousands” of control system environments. As he spoke, hackers at the back of the conference room competed to find faults in everything from smart refrigerators to drones.
Rep. Will Hurd (R-Texas), who visited DEF CON with his colleague Rep. Jim Langevin (D-R.I.) on the House Homeland Security Committee, stopped by the IoT Village and the neighboring “Industrial Control Systems” Village, the latter replete with a home-hacking contest and a realistic mockup of a chemical plant.
“One of the things that I learned is the length of time that these critical components within critical infrastructure are in place,” Hurd said on the sidelines of the conference. “These things are designed to last for 20, 30 years. It’s just one more thing that you have to take into account.”
Eventually, cyberthreats will outpace even well-crafted, internet-of-things devices, according to Katie Moussouris, founder and CEO of Luta Security.
“Old hardware can’t keep up with newer security technologies,” Moussouris said.
That raises a thorny question for policymakers and IoT companies: Where do they go to die, when it’s appropriate for them to die from a security standpoint?
For many IoT systems, there is no simple “off” switch to prevent them from being exploited for eventual use in wide-scale cyberattacks like the ones on Dyn and Brian Krebs. The devices may continue to beacon out to the internet long after their useful life, waiting to be hijacked.
Joseph Mlodzianowski, vice president of training firm Aries Security, deliberately connected IoT devices to the hostile WiFi networks at DEF CON as an invitation for hackers to try their hand. His “sheep city” in the conference’s Packet Hacking village included a connected train system, garage door opener and a smart meter that, when hacked, shut off lights to half of the model town.
“All IoT devices lack security,” Mlodzianowski said, adding that his mantra is, “you can’t spell ‘idiot’ without ‘IoT.'”
Policymakers have tried to address some of the security problems plaguing the IoT space. At least nine federal agencies, from the Federal Trade Commission to Department of Homeland Security, have offered some level of IoT-related guidance, “often on data security and privacy,” according to a recent report from the Government Accountability Office.
Congress has also taken note. Hurd told a crowd of DEF CON attendees Sunday that he would push for a hearing on IoT, particularly as “smart” and autonomous vehicles start to become a reality.
“Connected cars is the subsection of IoT that most members [of Congress] can wrap their heads around,” Hurd told a crowd of DEF CON attendees Sunday. “We all know we have to bake in security.”
Hurd alluded to the early development of the internet, when technologists spared little thought to how their small, trusted network could be abused by hackers. “Let’s not make those same mistakes when it comes to IoT,” he said.
Moussouris, of Luta Security, suggested Congress could consider offering tax credits to organizations that lay out concrete steps to address IoT cybersecurity.
“Every single manufacturer or writer of open-source software that goes into a device be it car, medical device, or [other] IoT has to have an ability to find and fix vulnerabilities and has to have a process to handle the discovery of new vulnerabilities,” she said.
Moussouris acknowledged that small manufacturers may be tempted to cut corners on security, given tight budgets and tough competition.
“They are, unfortunately, relearning old history lessons in security architecture and response,” she said. “But on the other hand, if we bog [IoT firms] down with overly heavy regulations, we stifle innovation, so we have an economic responsibility to balance that out.”
- Avast Internet Security Review 2018 - We Hate Malware - November 8th, 2018
- Security Packages | High-Speed Internet | Windstream - November 8th, 2018
- Antivirus vs Internet Security [Security Software Comparison] - November 8th, 2018
- Internet Security Lectures by Prabhaker Mateti - November 8th, 2018
- Vipre Internet Security 2016 Free Download - Softlay - November 8th, 2018
- Internet security software Reviews 2018 - Compared & Reviewed - November 2nd, 2018
- Exhibit A - Internet Security Requirements - November 2nd, 2018
- CIS Benchmarks - Center for Internet Security - November 2nd, 2018
- Kaspersky Internet Security 2018 Crack + License Key [Latest] - October 12th, 2018
- Zillya! Internet Security | Best Security Solution for Active ... - October 12th, 2018
- Download Norton Internet Security 188.8.131.52 - softpedia.com - October 9th, 2018
- Avast Internet Security 2018 Activation Code, Serial Key Till ... - October 9th, 2018
- Download Avast Internet Security 18.6.2349 Build 18.6.3983 ... - October 9th, 2018
- Download McAfee Internet Security 19.0 Build 19.0.4016 - October 3rd, 2018
- AVG Internet Security 2018 Free Download - FileHippo - October 3rd, 2018
- Internet Security - Quick Heal - October 3rd, 2018
- Kaspersky Internet Security 2019 v184.108.40.2068 | Software ... - October 3rd, 2018
- VIPRE Internet Security Review & Comparison - September 22nd, 2018
- Internet Security Suite | Verizon Internet - September 20th, 2018
- Antivirus Security Software & Internet Security - Newegg.com - September 19th, 2018
- Amazon Best Sellers: Best Internet Security Suites - September 7th, 2018
- Download Bitdefender Internet Security 2019 220.127.116.11 - August 24th, 2018
- Best (and Worst) Internet Security Software of 2018 for Windows - August 18th, 2018
- Amazon.com: Kaspersky Internet Security 2018 | 3 Device | 1 ... - August 8th, 2018
- AVG Internet Security - Free download and software reviews ... - August 3rd, 2018
- Top 3 Internet Security Software Suites Reviews ... - July 26th, 2018
- GRC | LeakTest -- Firewall Leakage Tester - July 26th, 2018
- Internet Security is an important part of Identity Theft ... - June 22nd, 2018
- V3 Internet Security | AhnLab - June 22nd, 2018
- Internet Security with Xfinity - Norton Security Online - June 17th, 2018
- Best Internet Security Software Compared - May 25th, 2018
- Computer and internet security software Chili Security - May 21st, 2018
- Internet Security Market Size, Share and Technology, 2021 - May 21st, 2018
- Center for Internet Security - Wikipedia - May 10th, 2018
- Download Webroot SecureAnywhere Antivirus & Internet ... - May 1st, 2018
- AVG Internet Security 2018 review | Ultimate antivirus ... - April 29th, 2018
- The Internet Security Academy - SAHCOM Technologies LLP - April 27th, 2018
- These files can't be opened. Your Internet security ... - April 20th, 2018
- How to Uninstall Norton Internet Security: 12 Steps - April 20th, 2018
- Internet Security Software at Office Depot OfficeMax - April 19th, 2018
- Why is Internet security important? | Reference.com - March 26th, 2018
- AVG Internet Security Unlimited 2018 18.2.3827 20% OFF ... - March 25th, 2018
- Trend Micro Titanium Internet Security - Download - March 21st, 2018
- Kaspersky Mobile Antivirus: AppLock & Web Security ... - March 21st, 2018
- Why do I Need Internet Security - The High Tech Society - March 21st, 2018
- Cincinnati Bell - Other Services Support - March 21st, 2018
- Internet Security Essentials for Business 2.0 | U.S ... - March 21st, 2018
- ESET Internet Security 10.0.386.0 Crack + License Keys ... - March 21st, 2018
- Privacy and Security in the Internet Age | WIRED - March 19th, 2018
- News & Events | K9 Web Protection - Free Internet Filter ... - March 19th, 2018
- 10 Internet Security Programs (for Windows), Ranked Best ... - March 7th, 2018
- AVG Internet Security 2015 Free Download - getintopc.com - March 3rd, 2018
- McAfee Internet Security Download - softpedia.com - February 28th, 2018
- COMODO Internet Security Download - softpedia.com - January 30th, 2018
- Best Internet Security Software 2018 - The best rated ... - January 28th, 2018
- Comodo Antivirus - Best Virus Removal Software 2018 - January 13th, 2018
- ZoneAlarm Antivirus Software | Virus Protection & Firewall - January 13th, 2018
- What Is the Meaning of Internet Security? | Techwalla.com - January 12th, 2018
- Download Avast Internet Security 17.7.2314 - FileHippo.com - January 12th, 2018
- Vipre Antivirus VIPRE Internet Security - January 12th, 2018
- AVG Internet Security 2018 License Key With Crack Full Version - January 8th, 2018
- CA Internet Security Suite Plus - Download - December 27th, 2017
- Collaborative Security: An approach to tackling Internet ... - December 27th, 2017
- Norton Internet Security - Download - December 20th, 2017
- Best Internet Security 2017 - Total Security Software for ... - December 20th, 2017
- Get the Best Internet Security Software of 2016! - December 20th, 2017
- Internet Security Administrator: Job Description and Requirements - December 19th, 2017
- Top 10 Cheap Antivirus and Internet Security Protection for ... - December 19th, 2017
- Download AVG Internet Security Unlimited - FileHippo.com - December 19th, 2017
- Norton Internet Security - softpedia.com - December 19th, 2017
- Internet Security - Cisco - December 19th, 2017
- Best Antivirus Software, Internet Security & Malware Removal - December 19th, 2017
- internet security | eBay - October 26th, 2017
- Avast Internet Security Download - softpedia.com - October 20th, 2017
- Internet Security Software | Trend Micro - October 3rd, 2017
- Lenovo Faces No Significant Penalty for Security-Destroying Superfish Debacle - ExtremeTech - September 7th, 2017
- 25% Upside Seen In Palo Alto, Argus Research Upgrades To Buy - Benzinga - September 5th, 2017
- How to: Your essential guide to internet security - PC Authority - September 5th, 2017
- Internet security startup founded by former CIA analyst raises $40 million - San Francisco Business Times - September 2nd, 2017
- CyberRehab's mission? To clean up the internet, one ASN block at a time - The Register - September 2nd, 2017