Hacking and the Internet of Things

We are now seeing hundreds of mobile apps that conduct Internet transactions and monitor our environment. We can download them and set them in motion with little effort. Most of these apps interact between our mobile device and a web server, but there is a class of apps that operate mostly between devices with little interaction back to the web.

These active devices are part of the Internet of Things (IoT) and they are still emerging.   IoT devices can be large such as self-driving cars or surveillance cameras or they can be medical devices such as insulin infusion pumps, indwelling bladder control stimulators or deep brain stimulators.

The hopes for autonomous automobiles include a mild reduction in traffic deaths, less costly taxi services, and potential fuel savings due to superior routing choices and better driving habits. Some see commercial availability of these IoT devices within 5 years, but others say 20 years.

Unfortunately, some of today’s demonstration-grade autonomous cars are open to hackers. The hackers were riding in a car adjacent to the target car and used their own radio transmitter to communicate with wireless controls of the target car’s tire pressure monitor. That allowed them to actuate the target car’s brakes – a wildly dangerous stunt if done by malicious hackers. This hacking was intended as a benign demonstration, but it documents how unsecured IoT control systems could inflict mayhem in the transportation system and delay the public acceptance of self-drive cars.

Hackers are seizing control of IoT systems quickly. Botnets are collections of internet-connected, coordinated computers. There are already two competing botnets with a total of more than a million cameras and DVRs used to launch distributed denial of service (DDoS) attacks on victims selected by the hackers. They are typically used to gang up on a website by sending it massive volumes of traffic that overwhelms the victim’s ability to react. While participating in the DDoS, the cameras appear to be working normally.

Hackers were able to recruit vast cyber armies of bots because many manufacturers assigned default passwords or easily guessed passwords to the cameras. Some of the botnet cameras are police body cameras. Hacker control of such police video “evidence” might taint its reliability.

Johnson & Johnson (J&J) acknowledged hackers could take control of its Animas OneTouch Ping Insulin Infusion Pump via an unencrypted radio frequency communication system that allows it to send commands and information via a wireless remote control. Meddling with the level of insulin could cause sickness or death, although J&J has no reports of malicious activity. Still, encryption of the pump control signal could protect patients from criminals attempting to harm them. If remote control over medical devices cannot be secured from hacker meddling, the devices become a potential danger.

Some electronics and software manufacturers are not providing adequate attention to security design and settings in the IoT products they sell. The FTC tried to make them focus on the issue, but there is clearly a long way to go. The onus for security does not rest solely with manufacturers. Those who operate the IoT systems are also responsible for protecting their devices from attack.

How much the coexisting hacker, manufacturer and user responsibilities overlap will doubtless be the subject of landmark litigation. Lurking in the background is the unresolved role of government.

Since those outside law enforcement are barred from self-help as vigilantes, government has reserved the role of aggressive and effective protector to itself. When will that responsibility be acknowledged?