IoT attacks could become life-threatening, security experts warn
Weak Internet of Things security might leave us vulnerable to dangerous attacks with far more serious consequences than a couple of websites being knocked offline. Harvard lecturer , a security expert, said IoT attacks could do real physical harm, reported.
Schneier called the recent “benign”, and “as our systems get more critical,” he sees greater threats in the future. “IoT affects the world in a direct, physical manner — cars, appliances, thermostats, airplanes — there’s real risks to life and property.”
Countless internet-connected devices are being mass-produced by companies that lack the security focus of giants like Apple and Google, the experts warned.
“The market can’t fix this,” said Schneier, who argued the lack of IoT security “is a market failure.”
This means many of the billions of smart everyday objects that consumers will buy over the following period will be vulnerable to attacks, which could have very serious consequences. That’s why experts think the government needs to get involved and come up with “some good regulations,” Schneier argued.
“In short, IoT security remains woefully inadequate,” said Kevin Fu, an associate professor at the University of Michigan and the head of Virta Labs, a company specializing in healthcare cybersecurity. Whereas we’ve seen this types of attacks before, “the sophistication, the scale of disruption and the impact on infrastructure is unprecedented,” he added. Fu warned that IoT attacks on healthcare equipment would have clear real-world implications.
“I fear for the day where every hospital system is down, for instance, because an IoT attack brings down the entire healthcare system,” Fu said.
Experts: Government should issue security guidelines for IoT makers
Regulation is a delicate matter, as lawmakers are aware. During the hearing, Republican congressman Greg Walden said in such a fast-paced environment regulations could cause more harm than good, by forcing manufacturers to focus on certain areas whereas hackers could quickly change attack methods.
“I see the choice as not between government involvement and no government involvement, but between smart government involvement and stupid government involvement,” said Schneier. With future attacks expected to become more and more dangerous and even lead to loss of lives, he thinks the feds will need to step in sooner or later. “We regulate dangerous things,” he said, making reference to the creation of the Department of Homeland Security very soon after the September 11 attacks.
Dale Drew, senior vice president and chief security officer of Level 3 Communications, said regulators should begin by establishing standards, which they could use to pressure the manufacturers to implement proper IoT security. Schneier suggested regulations could ask for certain results, leaving it to manufacturers to figure out how to achieve them.
Fu went as far as asking for the establishment of an independent lab for pre-market cybersecurity testing.
Drew suggested beginning by establishing standards, and using them to apply pressure. Schneier suggested setting benchmarks, but not methods of achieving them. “Here is the result we want. Figure out how to do it,” Schneier said.
“This is what we do when innovation can cause catastrophic risk,” Schneier said, referring to regulation. “And it’s catastrophic risk we’re talking about. It’s crashing all the cars. It’s shutting down all the power plants. The internet makes this possible because of the way it scales. And these are real risks.”