If you’re shopping for the perfect gift this Christmas, you might want to avoid the electronics aisle.
In a Dec. 9 visit to the Christian Science Monitor Breakfast, a routine stop for policymakers and elected officials, United States Homeland Security Advisor Lisa Monaco made a comment that was anything but routine.
Speaking about violent state and non-state actors, Monaco said, “…the range and diversity of vectors through which these actors are conducting malicious cyber activity [will increase]; the Internet of Things is going to pose a huge challenge that the next team will increasingly need to focus on.”
Last week, Mark Zuckerberg revealed to the world his pet project: an AI interface that responds to voice and text commands to turn off lights, play music, and activate his toaster.
All of the interactions that Zuckerberg built connect with each other through what is broadly called the “Internet of Things,” or IoT. As Monaco warned, it will become a powerful avenue for cyber-attacks at home.
The IoT gives everyday objects network connectivity. Arriving at the intersection of hardware, software, data, and service, the first IoT device was created at Carnegie Mellon University, where researchers built a Coca Cola machine capable of reporting its own inventory and the temperature of beverages.
By 2020, experts expect there will be over 50 billion connected devices in the world, including everything from biochips to baby monitors, self-driving cars to insulin pumps.
We don’t have to imagine what an IoT attack might look like. In October, it was widely reported that a New Hampshire-based company named Dyn fell victim to a series of denial of service attacks. Dyn is a domain name provider, which maps domain names to corresponding IP addresses.
The attack knocked down many sites, including Netflix, the New York Times, BBC, and Amazon. Some were down for as long as 6 hours. While DDoS attacks are not new, what is new is how the attackers accessed Dyn’s servers.
Malicious requests poured in from millions of IP addresses – imagine a stampede of animals barreling through a locked iron gate – into things like cameras, residences, baby monitors, printers, and other connected devices.
Attackers were taking down the most visited sites on the web through devices that individuals and companies had connected to their networks.
Another widely reported example of a cyber attack’s effect on infrastructure was the Stuxnet virus. Introduced via flash drive to the Natanz Nuclear Facility, this virus was co-deployed by the U.S. and Israel to physically destroy centrifuges.
Attacks may begin as an inconvenience, like losing access to Netflix for a day. Others seem like elements of distant geopolitical conflict. They will get much worse, and much more personal.
Baby monitors, cars, insulin pumps, lights in tunnels, power to hospitals, dam, and moveable bridges are among the things at risk. The risk of these devices being accessed, controlled, and used as biological, physical, and environmental weapons exists. This apocalyptic, doomsday scenario is not unrealistic.
While the industry grows at a pace that seems to defy securitization, there are organizations that recognize the risks and are beginning to develop protective tools. The Internet of Things Security Foundation was launched in 2015 as a coalition between major IoT companies to beef up hardware security, and a number of other groups, like BuiltItSecure.ly and the Online Trust Alliance’s IoT Trust Framework are falling in line.
For those in the hardware industry, it’s time to think long and hard about device security. If you’re a consumer, you might want to reconsider your electronic purchases.
Perhaps it’s time to bring back the clap-on lights and good old-fashioned board games.
The views expressed by Contributors are their own and are not the views of The Hill.