By Alexandre Cagnoni
We’re seeing it everywhere… from lightbulbs and refrigerators to cars and homes… the ongoing adoption of IoT (Internet of Things) in everyday items is on a trajectory with one speed: fast. But with that remarkable innovation comes some ever-increasing concerns.
IoT is meant to bring new levels of convenience and knowledge for both consumers and corporations. It arms us with new capabilities as well as countless clever new insights on energy, food, security, transportation, and health… just about everything. And even though IoT is on a speedy path to hit every aspect of our lives at some point, a recent IoT-related ransomware run-in at a hotel in Austria illustrates how IoT opens up new vulnerabilities that even stretch into remote mountainside retreats where people usually go to rid themselves of the usual stresses in life.
In late January, we learned that the nearly $400-a-night Seehotel Jaegerwirt, located far in the Austrian Alps within the village of Turracher Höhe, became one of the latest intriguing cases of IoT leading to a ransomware attack. The press was immediately abuzz with rumors of self-locking hotel rooms in the hotel. It turns out that was not exactly what happened. But we will also explain how that’s only the beginning of the story.
Today, people can lock and unlock their home’s front door using a mobile app, remotely turn on your car on a cold morning, control the temperature in your home or at the office… the applications are endless. It’s all about convenience, but what about security? IoT’s success is rooted in the assumption that only the intended or authorized user would interface with the IoT-enabled device or system. What happens if someone breaches the system that controls the various devices? Just one small example would be a Trojan being placed on a mobile device and thus gaining access to your seemingly benign devices that turn out to be not so benign once they’re controlled by someone else.
That’s all too true when we see examples of vehicle brakes being remotely controlled by hackers. And last October the attack on Dyn created a major Internet outage – all from cybercriminals that used vulnerabilities on IoT devices. So not only are the devices themselves open to attack, but they can be used as tools for attacks of a much grander scale. It was reported that ransomware was used to lock or unlock doors at that hotel in Austria, and the attackers demanded a ransom in bitcoins. The ransom was eventually paid, and it turns out their key card management system was indeed unavailable for a bit. It created a lot of inconveniences, but no one’s hotel room actually became a temporary jail cell and no one was held captive.
Now think about the very, very near future, with the massive use of remote-controlled devices, providing energy to homes, light, controlling cars, even getting access to airplane systems? A zero-day threat could cause potential damage to whole city infrastructure. It reminds me of a “Two and a Half Men” episode where Walden and his partner develop software that causes a blackout across the entire country. Could this happen in the future? What about “Person of Interest,” where Finch uses smart camera exploits and even laptop cameras in public coffee shops to spy on people? Are these really farfetched, or are they just around the corner?
IoT already represents a tremendous step forward in innovation, making our life easier, smarter, and connected. But both the typical consumer as well as the world’s largest companies must not only acknowledge and learn about the associated risks, but they should also put processes and precautions in place to avoid misuse. Possible steps include:
• Remote controlled devices should not allow a product to begin functioning before a user changes the “factory set” administrator name and password.
• Firmware updates or app insertion should have a well-controlled system behind it, preventing unauthorized access.
• Eventual failures and attack detection should lead to an automatic safe mode, for example, some form of manual or altered mode.
The hype surrounding IoT is huge, but the attacks surrounding IoT will undoubtedly become the bigger newsmaker. After all, when a lakeside resort nestled in the Alps hits the headlines for IoT related ransomware, it shows anything can be up for grabs. IoT is clearly going to become one of the new elements of the crime. Makers of IoT devices and related systems must play a strategic role in educating the general public on both the benefits and the risks we take as the world depends more and more on connected devices.