IoT attacks could bring real-world damage

Members of Congress received a dire warning this week about security vulnerabilities in the so-called internet of things (IoT), as cyber experts cautioned that with billions of new devices coming online, coordinated hacking attacks could become — literally — a matter of life and death.

House lawmakers convened the hearing on IoT security in response to last month’s distributed denial-of-service attack on the internet addressing provider Dyn, which resulted in temporary outages at popular sites like Twitter and Spotify.

[ Related: How the Dyn DDoS attack unfolded ]

But that incident, while a nuisance for Internet users and an embarrassment for the companies affected, might only be a prelude to far more serious attacks with potentially catastrophic consequences in the physical world, warns Bruce Schneier, a security expert and a lecturer at Harvard’s Kennedy School of Government.

“This is more dangerous as our systems get more critical,” Schneier says. “The Dyn attack was benign — a couple of websites went down. IoT affects the world in a direct, physical manner — cars, appliances, thermostats, airplanes — there’s real risks to life and property.”

[ Related: IoT security suffers from a lack of awareness ]

Schneier and other witnesses gave a sobering assessment of the security status of the exploding IoT, where billions of devices are projected to come online over the next few years, many of which are everyday objects such as household appliances, generally low-margin items mass-produced by manufacturers that don’t employ the army of security specialists found at tech companies like Apple or Google.

Inadequate IoT security could have dire consequences

Schneier describes that condition as a “market failure,” arguing that the economics simply don’t incentivize manufacturers to build in rigid security at the design and production stage.

So soft entry points in the waves of new products coming online create an environment where those devices can be compromised and marshaled into powerful botnets that could be turned against physical infrastructure.

“In short, IoT security remains woefully inadequate,” says Kevin Fu, CEO of the cybersecurity firm Virta Labs and an associate professor at the University of Michigan. “None of these attacks are fundamentally new, but the sophistication, the scale of disruption and the impact on infrastructure is unprecedented.”

Fu is particularly concerned about the implications of an IoT hack in the healthcare space, where new networked devices are deployed in sensitive environments with self-evident real-world implications.

“We’re going to have some serious trouble if we don’t answer these questions,” Fu says. “I fear for the day where every hospital system is down, for instance, because an IoT attack brings down the entire healthcare system.”

Government should play a role in IoT security

The question of the proper role of the government in shoring up IoT security is tricky. Lawmakers on both sides of the aisle acknowledge that regulating individual technologies is a non-starter, given the rapid pace of technological development and how quickly security threats can evolve.

Witnesses suggested that organizations like the National Institute of Standards and Technology or the National Science Foundation could play a helpful role by formulating principles-based specifications that could help manufactures and application developers incorporate strong security protections from the outset.

“I think the best place to start is with standards,” says Dale Drew, senior vice president and chief security officer at Level 3 Communications, an Internet backbone provider.

Schneier is likewise a proponent of strong security standards that could be extended out to the global production and supply chain. But in considering the role of government, he goes a step further, arguing that with the attacks expected only to worsen and potentially to bear a human toll, the feds will have to take action sooner or later.

[ Related: After DDoS attack senator seeks industry led security standards for IoT devices ]

“I see the choice as not between government involvement and no government involvement, but between smart government involvement and stupid government involvement,” Schneier says.

He recalls the immediate aftermath of the Sept. 11 attacks, when Congress moved swiftly to authorize the creation of the Department of Homeland Security, what would become a hulking bureaucracy with extensive authority in the cyber arena.

While he professes that he is no fan of excessive government regulation, Schneier views the potential for real-world harm from cyberattacks as a call to action. Simply put, “We regulate dangerous things,” he says.

“In the world of dangerous things, we constrain innovation. You cannot just build a plane and fly it. You can’t, because it could fall on somebody’s house,” Schneier says. “It might be that the Internet era of fun and games is over, because the Internet is now dangerous.”