Cybersecurity and the Internet of Things: Tales from the Frontier
It’s a scenario that many people would prefer not to imagine: you’re speeding down the highway at 70 mph, and an unknown adversary takes control of your car, disconnecting your brakes and eventually crashing you into a ditch.
That’s exactly what happened to Andy Greenberg, a writer for Wired magazine, in 2015. True, the incident did not exactly catch him by surprise: he had volunteered to be a “digital crash test dummy” in an experiment staged by two cybersecurity advocates, Charlie Miller and Chris Valasek. Together, they were out to demonstrate the serious security vulnerabilities associated with internet-enabled entertainment systems, a feature of many vehicles now coming off the assembly line.
With Greenberg behind the wheel of a Jeep Cherokee, the two hackers began to wreak havoc: blasting the interior with frigid air, blurring the windshield with wiper fluid, then disconnecting the transmission and, eventually, the brakes. Even though he was in on the stunt, the writer found it increasingly difficult not to panic – especially as an 18-wheeler bore down on his crippled vehicle.
Greenberg survived to tell the tale, warning that the rush to add internet-enabled features and services is outpacing our ability to secure them from intruders. “Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone,” he wrote for Wired.
Hackable cars are only one of the emerging security nightmares arising from the proliferation of internet-enabled devices, or the Internet of Things (IoT), as the phenomenon is commonly dubbed. Across a wide spectrum of industries, companies are eager to harness the capabilities – and, in many cases, the potential cost savings – that come with an IP address.
The result, too often, is a wide-open back door for cyber criminals and a raft of unsuspected consequences for businesses and consumers.
An internet-enabled HVAC system, for example, was the initial point of entry when hackers compromised the Target Corporation’s internal network in December 2013, staging one of the most infamous data breaches to date. The thieves appropriated domain access privileges and disguised themselves as admins, then tunneled their way into database servers, gaining access to the Personally Identifiable Information (PII) of 70 million customers and stealing 40 million debit and credit card credentials – which they then sold on the black market.
And it all started because of a convenient, cost-saving new feature added to many HVAC systems: network access. Such access enabled the vendor in charge of heating and air conditioning services to remotely monitor energy consumption and temperatures at individual stores.
An expanding attack surface
Staying ahead of the security problems posed by the dizzying array of networked devices is a key priority at Capitol Technology University, long known for its cutting-edge undergraduate, graduate and certificate programs in cybersecurity. The university was among the first to offer a doctorate in the field, starting in 2010.
Today, Capitol continues to upgrade its curriculum and provide new resources in response to quickly evolving trends. The pool of students seeking cybersecurity expertise is changing as well. No longer merely a concern for specialists, cybersecurity is becoming everyone’s business.
William Maconachy, vice president of research at Capitol Technology University and a revered pioneer in the field, believes the general public can no longer afford to remain blissfully ignorant.
“Tremendous vulnerabilities are there as a result of our becoming so web-reliant. Web reliant equals web vulnerable,” he said.
While the potential to wreak financial havoc is serious, Maconachy says it’s the implications for personal privacy that keep him up at night.
He cites, as an example, the experience of a friend who installed a home security video system, only to discover that it was being hacked. Instead of providing security to him and his family, the cameras were being used by an outsider to spy on their activities.
“The invasion of privacy is becoming a big thing,” Maconachy says. “It’s not just about thieves stealing money off of your credit card, bad as that is. We’re talking about serious intrusions into a person’s life space.”
Dr. Jason M. Pittman, a professor of cybersecurity at Capitol, sees a cybersecurity arena that is becoming increasingly complex and decentralized.
“The single most pressing area over the next five years will be low-power, embedded devices. These devices will accelerate in their penetration into daily life because of the huge benefit to society,” he said.
Pittman and his colleagues are working to bring about a fundamental change in attitude among stakeholders in cybersecurity technology, including application developers, businesses that offer services, and the consumers that use them.
“We need to massively rethink our approach to developing technology. Improving quality of life and reducing inane burden is the purpose of technology. But we need to begin producing technology that innately includes cybersecurity features,” Pittman said.
“Secondly, we need to develop a collective ability to move faster when vulnerabilities are announced. Adversaries will always have n+1 steps while we only have n steps. We need to leverage that,” he said.
“We need to evolve a view in which cybersecurity is a baseline attribute.”