I recently bought a smart refrigerator, and recognise there are positives and negatives.
Positives include making great ice and letting me know, while I’m at the store or leaving the office, that the yogurt or milk has expired. It can call the service centre about a fault before it fails. It can even tell me the current weather or stream music. Unfortunately, negatives include that it can wage cyber warfare from my kitchen!
Before you run to the kitchen to unplug your smart fridge, it’s worth noting that this issue applies to many smart devices, and here’s why.
If I were to remove the “brains” of my smart fridge – that is, the silicon chip and operating system that runs on the chip – I’d find that it’s the same, or nearly identical, as the chip-operating system combo that’s in my smart TV, toaster, thermostat, and door lock.
Actually, these chips and operating systems are in millions of connected devices, from industrial equipment in oil fields and power grids to vital healthcare equipment, such as drug infusion pumps, defibrillators, and, yes, the refrigerators in hospitals that ensure blood supplies and medicines stay at a safe temperature.
How can that be?
Purpose built ‘brains’
Once upon a time, the chips and operating systems used in different types of devices were purpose-built for that specific device and that particular industry. An oil and gas field monitor would carry its own, custom-made chip and operating system. Same goes for the power or healthcare industry.
This might not have been particularly efficient, and it certainly wasn’t cheap, but what it did mean was that if a bad actor wanted to hack a particular piece of oil and gas equipment, he or she had to target that unique chip and operating system. If they wanted to target another piece of equipment, they’d have to start the process all over again.
Effectively, the “brains” of the oil field equipment was as different from the “brains” of a defibrillator as an oil and gas field monitor is different from a defibrillator.
Today, however, in the race to lower prices and bring connected and smart products to market quickly, manufactures are using mass-produced “System-On-Chips” (SoC) and operating systems to give their devices “brains” and leverage vast economies of scale to keep prices down. As a result, they are less concerned with the security implications of this “race to the bottom”.
That’s why my fridge seems so smart about streaming music. It’s the same chip/operating systems that I’d find if I opened up my streaming audio speaker. Same goes for the oil and gas field equipment or the emerging new generation of smart healthcare equipment such as the infusion pump in the hospital. Add a speaker and they could both play music just fine.
One bullseye, millions of targets
On a more serious note, however; what this means is that a malicious actor has to hit only one bullseye in order to compromise millions of devices.
Even if it’s incredibly difficult – and both resource and time intensive – to compromise the chip or the operating system, the incentive to do so today is enormous: the threat actor will gain access to millions upon millions of Internet of Things and other smart and connected devices, creating enormous botnets to serve as their digital army.
When a hacker’s computer is building a botnet army for a distributed denial of service (DDoS) attack – such as the one executed against Dyn in the US on October 21, 2016 – it doesn’t see a fridge, a toaster or an oilfield monitor, it just sees a vulnerable computer running a commoditised SoC and operating system.
To put this another way, consider an apartment building with 10 apartments and 10 different physical front door keys and locks. If you want to rob all 10 apartments, you need to steal the keys or break the locks on 10 different doors. Imagine, however, if they all used the same key to open their front doors. Even if every apartment owner protected their keys with a team of armed guards, the potential opportunity of being able to access not just one apartment, but all 10 through a single key, would make the incentive to overcome the guards enormous.
Exploits for these chips and operating systems don’t have to be easy; the devices they run on just have to be ubiquitous enough to be worth the trouble.
So this is how we end up in an environment where millions of IoT devices could be compromised for the successful DDoS attack against Dyn, which took many well-known US and global websites offline for hours at a time.
The thing is, millions more devices with these same vulnerable, commoditised chips and operating systems sit on store shelves across the globe, and they continue to be made in factories from China to Chile. Even with the announcement of global recalls from certain device manufacturers, the immediate solution doesn’t lie with throwing away these devices; it lies in a very different approach, both from industry and consumers.
This is where we as consumers – whether individuals, SMEs, enterprises or nation states – can directly influence the security of these devices by changing the incentives for their manufacturers. As the target consumers for a vast majority of these devices, we can vote with our wallets.
We can begin to choose – demand even – that manufacturers stop using commoditised and insecure chips and operating systems. We can favour those that certify that their devices have higher security using the highest level of testing and validation. Innovative and scalable solutions that meet the needs of this emerging market such as blockchain and Public Key Infrastructure will come in to play to ensure devices can be secure and trusted once they leave the factory and long into the future.
This may make devices more expensive. But just as we pay a little bit more for our cars so that they contain equipment to clean the exhaust, and thus deliver healthier air and a cleaner environment for everybody, so too does thinking about and researching our choices – and in some cases paying a bit more for our smart devices – deliver a safer internet for us all.
I’d certainly be willing to pay a few more dirhams for my fridge if that gave me more confidence that the only thing it could freeze was my ice.
About the author: Stephen Brennan is Senior Vice President, Cyber Network Defence of DarkMatter. He can be contacted on Twitter handle @StephensLogicFor all the latest GCC news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.
Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.