Concerns about cybersecurity are rising, but most people think about hackers stealing credit card data from corporate databases, while it may be just as critical to worry about services we take for granted, like the electric grid or air traffic control.
The Internet of Things (IoT) is bringing a new awareness of security vulnerabilities into broad daylight. And this isn’t being driven by new technologies rolling out – like smartphone-controlled ovens – but mostly by researchers demonstrating how public infrastructure is dangerously insecure.
Consider our traffic light infrastructure, providing vital services in every city and town across the country and most of the world. Researchers, like Cesar Cerrudo of IOActive Labs, have demonstrated that these systems can be hacked. Cerrudo flew to Washington DC last year and found he could break into the capital’s traffic system, and change red lights to green: he could have, ‘paralyzed emergency responders,’ as Nicole Perlroth put it in the New York Times.
When he approached the company that designed the traffic sensors involved, he was ignored. Apparently the traffic on the sensor network is unencrypted. Cerrado said in a recent interview,
What I found is that cities are filled with security problems that could have a very direct and physical impact on our lives.
Yes, it does sound like a Hollywood movie, like the Italian Job or Live Free or Die Hard, but Cerrado and others researchers have shown it’s not special effects. A team from the University of Michigan led by J. Alex Halderman found three major weaknesses in the traffic infrastructure:
- Unencrypted traffic
- the use of default passwords and user names
- a debugging port too easily attacked.
Traffic systems are designed for the convenience to traffic engineers, rather than public safety. For example, once tapped in to any point of entry, the entire system can be accessed, in many cases.
Concerns about cybersecurity are rising, but most people think about hackers stealing credit card data from corporate databases, while it may be just as critical to worry about services we take for granted, like the electric grid or air traffic control.
I’m not writing about someday-in-the-future drones or the 2020 smart home: these are relatively pedestrian networked systems in place today, that we all rely on.
Another disturbing bit of research along these lines appeared this month, when security researcher Billy Rios discovered that a popular drug infusion pump has vulnerabilities that would allow a hacker to remotely monitor and change the dosage of drugs being administered to patients in hospitals.
As Cory Doctorow summarizes at BoingBoing,
The companies whose products Rios analyzed are in denial about their mistakes. Hospira, who have at least 325,000 vulnerable Plum A+ models in hospitals worldwide (and unknown numbers of other vulnerable models), insist that they are invulnerable because the devices’ communications modules are physically isolated from the pumps’ circuitry. But although these two functions are separated on two physical boards, these boards are connected by a serial cable that allows them to talk to each other, and the pumps do not validate the firmware their receive from the communications modules.
So, a hacker would only need access to the hospital’s network, which is likely to be connected to the Internet, and boom! All the pumps are shut off.
I feel like I am drafting the screenplay of a dystopian sci fi novel, but I’m not. (Or should I be?)
These are just the most recent examples of the findings of researchers who are probing the existing infrastructure that our world runs on. I’m not writing about someday-in-the-future drones or the 2020 smart home: these are relatively pedestrian networked systems in place today, that we all rely on. And they’re as full of holes as Swiss cheese.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.