Cybersecurity threats and privacy invasion are daily news with Snowden, Assange, WikiLeaks and foreign hackers breaking into government, political, health, banking and other sites. From the Sony breach to the DNC hacking — cyberpunks aim to steal intellectual property, intelligence and information.
Cyber attacks will get more challenging in the always-on Internet of Things (IoT) connected universe. Thousands of new devices vulnerable to cyber attacks are being attached to the internet, many running low-power processors incapable of supporting sophisticated security. And many embedded devices continue to operate for years after their last software patch.
In October, traffic at websites including Twitter, Spotify and PayPal was slowed or stopped, because they were flooded with internet traffic. This DDoS (Distributed Denial of Service) attack reportedly used internet-enabled cameras from Hangzhou Xiongmai Technology, a Chinese electronics component manufacturer. The attackers exploited weak or manufacturer set passwords that hadn’t been reset by users. Malware known as Mirai took advantage of these vulnerabilities by infecting the devices and using them to launch massive DDoS attacks, deluging websites and taking them offline.
IoT security poses unusual risks. It is one thing to steal usernames, passwords or intellectual property, but it’s entirely different to gain access to systems that can interfere with people directly. Any connected device can be hacked, including a thermostat, smart appliance, connected wearable or even a child’s Barbie doll that is connected to the IoT.
CTA Steps Up Cybersecurity Efforts
CTA is working with our member companies on multiple programs to improve cybersecurity. Recent work includes revising CTA-TR-12, Securing Connected Devices for Consumers in the Home, which provides guidance to product designers and managers on how to enhance cybersecurity; developing guidance for product installers to get the best security out of existing devices; and helping develop and launch the Building Security In Maturity Model (BSIMM) online assessment tool, which companies can use to gauge how well they’re addressing security in their internal processes and end products. CTA also released a white paper outlining a national strategy to promote IoT growth, including the challenges of privacy and security.
Medical device hacking is also a real possibility. So far, these have been confined to scenarios in TV shows like Homeland, which killed off a vice president by reprogramming his pacemaker. Former Vice President Dick Cheney revealed that doctors disabled the wireless capability of his heart implant to prevent hacking in a 60 Minutes interview in 2013.
Studies have found that drug infusion pumps that deliver morphine drips, chemotherapy and antibiotics can be remotely manipulated to change the dosage given to patients. Bluetooth-enabled defibrillators can be directed to deliver random shocks to a patient’s heart. X-rays can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs can be reset, causing spoilage and digital medical records can be altered to cause physicians to misdiagnose or prescribe the wrong drugs.
The FDA has issued several alerts concerning the safety of infusion pumps developed by Hospira (acquired by Pfizer). And, Johnson & Johnson warned users that while the probability of unauthorized access is low, its Animas OneTouch Ping insulin pump could be hacked – with possibly fatal results.
With connected devices expected to reach 21 billion by 2020, security and privacy are top priorities. While IoT holds infinite potential for doing good – it also presents challenges across healthcare, payments, transportation, industrial, government, manufacturing and M2M.