Internet-of-Things: Attack of the Killer Fridge

Could Smart Devices create vulnerabilities that could bring down our critical national infrastructure?

Gartner Says 8.4 Billion Connected "Things" Will Be in Use in 2017, Up 31 Percent From 2016

This week I attended an excellent Executive Leaders Network (ExecLN) event in Reading and watched a brilliant presentation by @TheKenMunroShow on the cyber security threats our obsession with connected devices could create.

The premise was simple. As we deploy more and more devices as part of the Internet-of-Things revolution we are potentially creating multiple opportunities for cyber attacks due to the vulnerability of the sensors and devices we deploy on otherwise secure networks.

On a scale of 1 to 10 how dangerous could an IoT cyber attack be?

When you first consider the vulnerabilities of a cyber attack on IoT devices it doesn't appear as if someone taking-over, controlling or disabling an IoT device is that serious. However, when you start to consider the types of devices and their uses you realise that in an increasingly automated world an IoT cyber-attack could have profound implications.

So lets have a look on a scale of 1 to 10 the implications of an IoT Cyber attack:

Scale Devices Example attack Impact

1-2 Smart watches, TVs Resetting your alarm clock Negligible

3-4 Home automation system Turning off your heating Minor*

4-5 Office automation system Turning off building systems Medium

6-7 Traffic signals/Sensor nets Turn off all the traffic lights Major

8-9 Industrial Control systems Disable the Thames Barrier Critical

10 Critical Infrastructure Nuclear power station controls Catastrophic

Looking at the types of systems in the Internet-of-Things you can see that some of the devices that form that ecosystem have the potential to cause major problems when interfered with. I'd like to think that Nuclear Power station Control Systems are:

a) Not connected to any external network

b) Have layers and layers of security on them!

But I'd also like to think that people wouldn't run unauthorised experiments on nuclear power stations e.g. Chernobyl. Lets hope that the people charged with protecting those types of systems know what they are doing.

However, its quite possible that industrial control systems and traffic signals have vulnerabilities that could allow them to be attacked. Simply put, when you buy a Smart Kettle you hope that first and foremost that the company that make it has a long history of making devices to boil water safely; but realistically the requirement to withstand a cyber attack is likely to be much further down your list than the requirement to be switched on from your smartphone before you get out of bed.

Was the Italian Job (1969) the first cinematic depiction of an IoT Cyber attack?

Did the Italian Job (The 1969 Michael Caine Classic not the shoddy 2003 Mark Walhberg remake) represent the first cinematic depiction of an IoT Cyber Attack?

In the film, which took place long before the internet was conceived, the plucky heroes lead by Michael "You're only supposed to blow the bloody doors off!" Caine paralyse the traffic in Turin as a cover for their daring bullion robbery and escape.

Benny Hill, playing a computer programmer, introduces a virus into the Turin City traffic computer that switches all the cities traffic lights on and off.

In the film the heroes have to infiltrate the computer building and put a new tape reel into the computer (It is an old film!) but todays cyber villain may only have to connect a device to an unsecured traffic light to cause the same chaos from the comfort of their own home.

What is a cascade failure?

In 2003 there was a power failure in the US and Canada that affected over 55 million people. The power was off for 2 days in most cases but in some remote regions it took over a week to restore power.

This power failure demonstrated the instability of our power networks. One surge cause by incorrect telemetry caused a single failure causing first one then another power station to overload and shut-down. All of the nuclear power stations were moved into "safe-mode" and taken off-line and the impact rippled across a large part of the North East of America.

The cascade failure shut down electricity, water pumping, transportation networks and communication networks. But, you may ask, "What has that got to do with my smart fridge?"

The Cascade Failure can be likened to the "domino effect" where one small failure impacts the next system, and the next system, and your smart fridge could be the first domino.

How you use a Smart Fridge to bring down the critical national infrastructure of a country

Assuming your Smart Fridge, or Smart Thermostat or Smart Lighting System can be hacked, and Ken Munro demonstrated how easy it was to hack these devices, a cyber villain can then control them. What is the worst that they can do? They could defrost your fridge! They could switch all your devices on and give you a bigger energy bill! On an individual scale this counts as an inconvenience.

In 2016, 80 million smart home devices were delivered worldwide, a 64 percent increase from 2015, - IHS Markit. 

However, with over 1 million smart thermostats in the UK what would happen if you turned them all on or all off at the same time?

Its a well known fact that the UK power grid experiences surges in demand at specific times, usually when everyone turns on the kettle during the commercial break in Coronation Street. The electricity generation companies address this by switching on additional power stations ready for the demand. One of the problems facing the electricity generators is that the systems aren't very dynamic and they don't respond well to unexpected changes in demand.

If someone were to switch on (or off) all of the smart home devices at a period of peak-demand it may be possible to trigger a cascade failure similar to the North-East Blackout in 2003.

How do you stop the "weaponising" of IoT?

To prevent this type of misuse of IoT systems by criminals or even terrorists quite simply we need to consider the end-to-end security of our IoT networks and devices. The security of the radio access networks running Narrowband IoT (NB-IoT) is pretty good, but the worry is that on top of these secure networks we've deployed thousands of devices that are insecure, and not only that potentially open a back-door into the network systems.

IoT Security Market Growing at a CAGR of 34.4% During 2017 to 2022 - ReportsnReports

Its too late to "put the Djinn back in the bottle" but its not too late to start educating all of the exciting and innovating companies in the IoT domain about the importance of building security into their designs as a key principal, rather than as an afterthought.

*If you were vulnerable, elderly, or ill turning off your heating could have a serious impact if you were unable to turn it back on