Recent work by security researchers indicates that one of the problems with having a “smart” home is that some day, it might be smart enough to attack you. The essence of the forthcoming “internet of things” is that everything we own, from our refrigerators and egg cartons to our cars and thermostats, will some day be outfitted with internet-connected sensors and control systems, allowing all our possessions, and ultimately all of our civic infrastructure, to communicate with each other and be controlled remotely.
The potential security implications of this future are fairly obvious: Imagine if the same hackers that are stealing our credit card numbers suddenly had the ability to take over or at least monitor just about every device in reach. But to date, thinking through the specifics has been tricky. Here, then, is a handy guide to the basic vulnerabilities we’ll be adding to our lives once we have connected all of our worldly goods to the internet of things:
Direct attacks that force objects to exceed their design parameters or operate in ways that are unpleasant or dangerous
The most successful cyber-attack on physical infrastructure ever—an attack on Iran’s uranium enrichment facility, suspected to be a join US-Israeli project, that set Iran’s nuclear ambitions back by at least a year—illustrates a basic principle of internet-connected devices: Having the ability to control them remotely could mean giving hackers the ability to damage them remotely, or re-purpose them for nefarious uses.
In the Stuxnet attack on Iran’s nuclear program, software was used to spin uranium centrifuges at a speed and duration that physically damaged these delicate instruments, requiring what was probably months of subsequent repair. Similarly, at this year’s Defcon conference for hackers, security company Cimation demonstrated an attack that could damage a water treatment facility—causing a pipe to burst or a tank to overflow—or any other plant that uses a common protocol for controlling infrastructure that was invented in the 1970s.
Granted, our homes do not include uranium centrifuges or plumbing we control remotely—yet. An attack on the Inax Satis smart toilet would allow a hacker to activate this $4,000 toilet’s bidet remotely.
Misdirection leading to user error and damage
As with the internet itself, we will in time become ever more reliant on the internet of things. Baby and pet monitors, home automation systems and even our cars will send us information in ways that will make our lives easier but also encourage our dependence on these systems. In this way, hackers do not even need to figure out how to harm us or damage our connected devices to cause mayhem: They simply need to send us false readings from the sensor systems we’re using.
In the Stuxnet attack on Iran, the reason operators at the uranium enrichment facility did not shut down the infected centrifuges is that the same software that was spinning them at dangerous speeds made it look as if everything was normal. Some systems in, for example, the oil and gas industry are already vulnerable to attacks in which operators are led to believe that everything is fine when equipment may actually be operating at unsafe temperatures and pressures.
This could allow hackers to set up scenarios in which users would be the agents of their own undoing. For example, a smart thermostat set to keep a house at a certain temperature for pets while an owner is away could send false readings to the user, encouraging them to send instructions to it remotely, perhaps to make the house warmer, without realizing that the home’s heating system is already at full blast.
A world of new possibilities for spying
Once entire homes are fully instrumented with sensors, there is no end to the kind of data that hackers and governments could gather about us and our habits. Here’s a smart lamp that transmits via the internet whether or not you’re home, and similar insights could also be gathered via your smart thermostat. Every smartphone, laptop and tablet we own is already broadcasting huge amounts of information about us—who we are, where we are, where we’ve been, what websites we’re logging onto—which can be gathered with a $57 listening device.
In the case of both mobile devices and smart connected devices, security is lax, probably because the makers of these gadgets, and the connection standards on which they rely, didn’t have to think about how they would all become part of a universal internet of stuff, whose interacting devices would lead to a wealth of unexpected vulnerabilities. This is especially true of wi-fi, which because of its ubiquity is a strong contender for the de facto connection standard for the internet of things, which means there’s little we can do to avoid these security vulnerabilities. “These are fundamental design flaws in the way pretty much everything works,” one researcher recently told the New York Times.
If these concerns seem overblown given the current state of the internet of things, keep in mind that, like other technologies, hundreds of companies are working on ways to make smart devices ever more useful. Terrorist attacks on electrical grids and nuclear power plants may grab headlines, but a whole new class of petty crime against our personal infrastructure is also on its way.