IoT - The Next Level of Terrorism

When someone mentions the term IoT (Internet of Things), our faces light up like that of a kid who’s been given a new toy to play with. We’re asking questions like how IoT is revolutionizing world and how it’s making our day to day lives better when the real question we should be asking is, are our existing IoT framework and compliance standards completely addressing our security needs from something more dangerous than anything we’ve seen before - Cyber Terrorism?

Simply put, hacking into the location data on a car is merely an invasion of privacy aka data theft, whereas hacking into the control system of a car would be a threat to life and is considered cyber terrorism.

Let’s look into a few examples of how radicals are using such a promising technology to cause chaos and destruction. Here’s a few ‘what-if’s with things that are automatically controlled over internet:
Scenario-1: What would happen if all the fans supporting the ventilation system for underground subway or long tunnels connecting cities stopped working?
Scenario-2: What would happen if a vehicle loses its control or malfunctions? What if this happened to all vehicles across the city simultaneously?
Scenario-3: What would happen if synchronized traffic lights are not working as they should?
Scenario-4: What would happen if all the transformer blow out at the same time?
Scenario-5: What would happen if the cooling fans at data centers fail?
Scenario-6: What would happen if a hospital’s medical device’s real-time diagnosis results are manipulated?
Scenario-7: What would happen if the home security alarm in every home in a city starts sending distress signals at the same time?

What would happen if all above scenarios take place at same time in a city like Manhattan?
o Huge defeat to human race
o Economic loss – A loss that would make it near impossible to come out of
o Chaos, panic, riots and what not?

Pretty scary, isn’t it?

Basically, anything that is connected to the internet can be hacked with the right tools and skills and IoT is no exception to that. A security firm ESET recently found a malware named “KTN-Remastered” (https://www.securityweek.com/new-remaiten-malware-builds-botnet-linux-based-routers) that would target routers and other embedded devices like IoT.

According to Intel Security, IoT devices are just beginning to be exploited. It is only a matter of time until IoT device threats become more widespread. Attackers are not after the devices themselves, but the data or gateway capability that they enable because it is the easiest way in, and these devices often provide under-defended access to target-rich networks. (https://www.zdnet.com/article/iot-malware-and-ransomware-attacks-on-the-incline-intel-security/)

According to Gartner, by 2020, more than half the major new business processes and systems will incorporate some element of IoT leading to 20 billion IoT devices connected over the internet. Gartner expects black market exceeding $5 billion worth of IoT devices with fake censors for enabling criminal activity. (https://www.gartner.com/newsroom/id/3185623)

IoT can be classified into two categories, sensors and controllers. Sensors and controllers are connected over the internet to collect the data, analyze and regulate the process that they support.

Radicals can get access to these sensors and controllers by using the internet as an access medium and can become the controllers of these controllers – master controllers. These master controllers can combine several technologies like high speed internet, augmented reality, artificial intelligence, wearable technology, cloud computing etc., together and get complete access to the device that they’ve hacked into. For radicals, IoT based attack is the easiest and cost-effective way of declaring war against any country they want. Simply put, IoT is both a luxurious blessing and a dangerous weapon.

I strongly feel that it is important for governments, policy makers and technology leaders to connect together and start working on security measures in preventing IoT terrorism. They will also have to come up with proper contingency plan for every possible attack that could happen and should be ready to face it “if it happens”. But how?

1. Implement security standards at manufacturing level
2. Strict guidance’s to IoT manufacturers and enable approval process for every IoT device that are conceptualized
3. Draft a IoT security and implementation framework
4. Draft Compliance standards
5. Both IoT service provider and consumer must have security policy and vulnerability policy implemented with security patches released frequently to address concerns
6. Identify innovative and more secure ways to exchange encryption keys
7. New security protocols should be rolled out to manage IoT devices
8. Every IoT cloud must be SAS70 certified
9. Governments should implement new pattern analytical engines to understand and alert if there is a change in IoT data delivery patterns.

Currently there are initiatives like Builditsecure.ly or OWASP Internet of Things project that could actually help to build a more robust and secure platform for connected device with very minimal to no serious security issues.

I want to conclude this article with a piece of text I came across:
If we’re not careful, the Internet of Things could also turn out to be one of the most dangerous weapons around. Subverted by malicious intent, the Internet of Things could just as easily turn our lives into a horror movie, one in which the everyday objects we depend on have suddenly developed a new urge—the urge to destroy.