Advertisement
Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products.

Hitting the Books: Hackers can convince your IoT devices to betray you

Our open technology culture could be our undoing.

Welcome to Hitting the Books. With less than one in five Americans reading just for fun these days, we've done the hard work for you by scouring the internet for the most interesting, thought provoking books on science and technology we can find and delivering an easily digestible nugget of their stories.

Power to the People: How Open Technological Innovation is Arming Tomorrow's Terrorists
by Audrey Kurth Cronin


Book cover
Book cover

The internet is all around us -- in our phones, our homes, our cars, and even our toaster ovens for some reason. Problem is, the adoption of this ubiquitous connectivity has far outpaced our efforts to secure those systems against unlawful intrusion, giving bad actors a plethora of new ways to harass, intimidate, harm and terrorize their targets.

In Power to the People, author and noted security expert Audrey Kurth Cronin, delves into the history of technological innovation and its impacts on international terrorism. From gunpowder and dynamite to cyberattacks, autonomous systems, and 3D printing, these advances have markedly improved our society but have also given your run of the mill extremist idealog access to weapons of mass murder.

The Internet of Things (IoT) is the interconnection of millions of computing devices via the Internet, equipped with sensors that directly receive and transfer data without human involvement. As the IoT grows to encompass more cars, kitchen appliances, thermostats, door locks, voice-activated assistants, and even hospital infusion pumps and heart monitors, it provides malevolent actors plentiful opportunities for hacking into systems and wreaking havoc.

A great danger is that because private sector companies compete furiously to get their products to market cheaply and quickly, software engineers routinely fail to incorporate security into their designs. Release of new products takes priority over implementing security features, and since competitors' security is just as lax, properly securing these consumer products, which would lead to delays of months, would be a serious competitive disadvantage. What has resulted is a kind of race to the bottom: according to one estimate, 70 percent of all IoT devices have flaws such as unsecured software and unencrypted communication systems. Thus far, companies are usually not held legally responsible for hacks that break through lax security in consumer devices. What's more, the companies themselves have little incentive to secure or encrypt these data sources, because easy access affords them a wealth of information about users. Openness and accessibility are valuable; for those who want to sell to us, having information on what millions of people do is very lucrative. But profiles of our behavior also offer extremely valuable intelligence for those who want to attack us.

Consumers have little to no control over what information is gathered through these devices because they do not own the software that runs them, or have control over that software. The Internet of Things is changing the nature of buying and owning items. According to law professor Joshua Fairfield, a fundamental shift in property rights is underway and we're entering an era of digital serfdom, loosely resembling feudalism. Whereas serfs did not own their own land, homes, or even farm tools, we generally own the hardware of our smart devices, but the companies who produce them own the software and the information about us they gather. With some smart products, even the hardware is not owned outright, but rather rented. John Deere, for example, has told farmers that they don't really own the tractors they purchase from the company because they are licensing the software that runs them. Farmers cannot fix the vehicles themselves or take them to independent repair shops.

Because IoT devices are connected to the Internet, they can also be hacked, and intrusions are already widespread. Would you leave your front door wide open? In August 2017, hundreds of Internet-connected locks became inoperable because of a faulty software update by LockState. It left hundreds of owners unable to lock or unlock their homes for a week. Hackers have moved from taking remote control of your PC to taking control of your smart TV or your city's CCTV cameras instead. They have hacked cars (repeated attacks on Jeep Cherokees in 2015 and 2016), power plants (malware took down Ukraine's power plants in 2016), smart bulbs (researchers showed they could hack thousands of Philips Hue smart bulbs in 2017), and voting machines (a Princeton professor hacked into one in seven minutes). Relatively inexpensive IoT hacking tools are widely and cheaply available to non-state actors. Why bother planting an explosive device under a car if you can hack into a vehicle's navigation system and make it accelerate into a wall or off a bridge? No need for assassination if hackers can deliver a fatal dose of insulin through the unencrypted radio communication system of the insulin pump. No need to take physical hostages; just tamper with a hospital's computer-connected infusion pump to overdose a patient—then threaten to do the same to others.

According to American cryptographer and computer security expert Bruce Schneier, IoT devices are more vulnerable than your laptop or your phone, for a number of reasons. The first is that huge corporations like Apple, Samsung, and Microsoft can afford to hire large teams of engineers devoted to security, while the smaller companies that are making smart locks and thermostats, for example, cannot. Second, whereas people replace their smartphones and laptops every few years, that is not the case for smart refrigerators, pacemakers, or cars, which they will keep for five or ten years or more. Nefarious actors have much more time to discover their vulnerabilities and, because the software is rarely updated, those vulnerabilities persist year after year, just waiting to be exploited. To make matters worse, a vulnerability in one Internet-enabled device, like your home router, can be used as a launching pad for attacks against a range of other connected devices you might own. One small flaw and your whole computer-assisted life can be hijacked.

Much attention has been paid to the threat of espionage and cyberattacks by states, and in February 2016, US Director of National Intelligence James Clapper warned that the Internet of Things will further empower state- sponsored espionage, enabling better monitoring, tracking, and targeting of individuals. The threat of attacks by non-state actors is also high. For terrorists, a key question now, as always, is which avenues of attack are most easily available? Enormous collections of data are enticing targets, at scales of magnitude that non-state malicious actors could never dream of amassing themselves. States and corporations are focused on the potential fruits of big data rather than on the criminals and terrorists who can hack into it.

By connecting everything from home defense systems to medical devices to utility companies to hydroelectric dams to the Internet, we have made a new means of attack highly accessible. Absent better security measures, well- established processes of the diffusion of lethal empowerment will kick in. In the mid-twentieth century, airline hijackings evolved from airplane flight diversions to Cuba to the downing of airliners with hundreds of innocent people aboard. Exploiting the Internet of Things to hold people hostage or attack them will spawn increasingly violent copycat attacks. Putting better defensive measures in place is essential.

From Power to the People: How Open Technological Innovation is Arming Tomorrow's Terrorists by Audrey Kurth Cronin. Copyright © 2019 by Audrey Kurth Cronin and published by Oxford University Press. All rights reserved.