Spy boss warns of IoT hacks crippling whole cities

Major cities could come to a standstill through IoT hacks, according to a British senior government official

Spy boss warns of IoT hacks crippling whole cities
Credit: LinkNYC

Large cities could crash to a halt “with the click of a button,” the Telegraph newspaper has reported. The head of spying for the United Kingdom has apparently warned that Internet of Things (IoT) adoptation increases the risk of hackers bringing “major cities to a standstill.”

Robert Hannighan, the director of Government Communications Headquarters (GCHQ), the British equivalent of the National Security Agency (NSA) in the United States, made the warning at a science festival in the U.K. recently, the Telegraph writes.

+ Also on Network World: Welcome to the smart home ... of horror! +

“Terrorists and rogue states are gaining the capability,” the report of his remarks continues. “At some stage they will get the capability.” 

“Risk to cities, like London, would significantly increase as more physical objects, cars, [and] household appliances are connected online in what is called the Internet of Things,” Homeland Security Newswire adds in its coverage of Hannighan’s warning.

“We’re not quite there yet, but as the world becomes ever more connected, that will become a greater risk,” Hannighan says.

The risk is real

How far-fetched is this? Not at all, according to experts.

About a year ago, I wrote about the anatomy of an IoT hack. Interfering with a kitchen oven was the core of that hypothesis then.

The lab that conjured up the theoretical hack, which it called "From the Oven to the Power Station" or, alternatively, "The Terror in the Kitchen," posed that it could identify an individual power station technician and access his work accounts via his home connected thermostat.

So, how insecure is IoT?

I, for one, was amazed when attempting to add a well-known, branded IoT power switch to my home network. I found that it doesn’t show up in the router table. It piggybacks on something else.

That begs the question, as others have posed, too: How is one supposed to monitor the security of something one can’t see?

Vulnerable protocols, insufficient authentication and lack of encryption are among the security voids that Bitdefender discovered in domestic IoT products in early 2016. Adding insult to injury, some vendors, when warned by the security firm of the uncovered holes, hadn’t fixed them as of some months later, Bitdefender says.

One problem is that the gadget business runs hard and fast. It’s low-margin, and every penny saved in development adds to a narrow bottom line. Therefore, if vendors can cut costs by eliminating security hardening, they may be tempted to do that.

Manufacturers may have to be beaten over the head to adopt secure practices. However, media awareness of these kinds of issues could conceivably make consumers choose secure products over insecure ones, thus kick-starting wider adoption of acceptable security.

Periodic patches needed

But even with possible newfound awareness of security issues, there’s another problem:

Consumers don’t understand that they will need to patch their IoT devices and systems periodically, Rand Corporation says.

“Will consumers understand that a refrigerator with a 20-year lifetime also needs 20 years’ worth of software patches?” Rand said in its survey report in 2015.

One further question, of course, is that if people don’t want the things anyway, the issue become moot.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10