Understanding the Internet of (Hacked) Things

blog_imageImagine a scenario when your alarm clock is connected to the internet, and accesses your calendar to know when and where the first appointment of the day is. It simultaneously cross-references that against the latest traffic conditions, depending on which you can sleep a little longer or wake up earlier. The curtains in your bedroom open, the water heater gets switched on and coffee gets ready automatically—all this before you even get out of bed. You don’t have to worry about your kids brushing their teeth as the toothbrush sends a message to your smartphone, informing you when the task is done. And as you are ready to leave for work, the tracker on your key chain alerts you about its location.

This may sound something out of a science fiction movie to some people, but in fact, is a close reality.

All this can be possible with the ‘internet of things’ (IoT), where chips and sensors are embedded in everyday objects, making lives not only unified but also convenient. IoT means that all physical objects will have an internet protocol (IP) address and get transformed into mini computers. Right now, these activities cannot take place as the current version of IP (IPv4) has run out of unique addresses, making it impossible for devices to be connected to the internet. The solution is IPv6, which will replace IPv4 and increase the available internet address online. While IPv4 can support about 4.3 billion connections; IPv6 can potentially provide a unique address to every single atom on the planet. With IPv6, all tangible objects—your lamp, car, television, refrigerator—will become smart objects.

Today, there are millions of people using multiple wireless technologies, from WiFi to near field communication (NFC), Bluetooth, radio-frequency identification (RFID) and others. Soon, there will be billions of devices using these to communicate over the internet. The downside: all these communication technologies can be hacked. It has been observed that WiFi (especially public WiFi) and Bluetooth can be breached, and RFID hacking devices are apparently available on the internet for less than Rs3,000. NFC, which is used for payments, has also possibly been compromised on occasions with hacker applications such as NFCProxy. With more mobile devices enabling mobile payments with NFC, it is likely that cyber-criminals will increasingly attempt to exploit the security loopholes. The IoT can also lead to hardware hacking, which is the use of hardware components to hack into a device.

Today, many users are aware that downloading apps from unverified sources or opening unknown computer files might give their phones a virus, but not many know that their choice of mobile phone charger can also lead to the same. It is said that researchers have already built a hardware virus, embedded inside a compromised USB charger, which is capable of targeting certain mobile phones by just plugging in the power chord.

In 2013, it was reported that customs officials (of a particular country) noticed that a series of electronic consumer goods manufactured (in another country) contained hidden miniature WiFi chips. Further scrutiny revealed that these could spread malware to any open internet network within 200 metres and were able to “phone home,” relaying secret messages. So, imagine protecting a world where every physical object—from pacemakers to self-driving cars—is connected to the internet and is at the risk of being hacked from anywhere on the planet.

The reality is that, in fact, it is impossible. Cautiously speaking, the promise of the IoT could turn sour, and probably become the ‘internet of (hacked) things’, which is a hotbed of many malicious opportunities for cyber criminals. The IoT and its underlying protocols (which may not be secure) can have the potential to open a Pandora’s box of security vulnerabilities on an unprecedented scale. Constantly changing technologies can make it tough to secure today’s global information systems completely. Advancement enables modernisation, but the security of data and systems is sometimes kept aside during the process of innovation.

Therefore, it is paramount for the C-suite as well as technologists to consider all possible security aspects as comprehensively as possible while keeping in mind any future risks. After all, a thief attempting to break into a house will have more options if the house has more doors and windows, especially if all these are connected to the internet.

The above article first appeared in Mint and can be accessed here http://bit.ly/IoT_Mint

Follow @EY_India and track #EYForensic for regular updates


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s