SAN FRANCISCO, FEB 16 2017 – Imagine billions of sand-sized computing devices tossed into municipal waste, still alive by battery and calling out to one another. Imagine them joining a billions-strong botnet stretched out across the land sending short signals to deny service and pass along small bytes of malware to anything within proximity.
Think this is something from the future? Think again.
Late last year, smart things such as cameras were conscripted into botnets under the Marai Malware family, disrupting more than 900,000 Deutsch Telecom users, as well as 2,400 routers in England, and continues to morph and prey on new vulnerabilities found in other types of smart devices.
Meanwhile, smart dust or MEMS – Micro Electric Mechanical Systems – in the form of used RFID packaging, micro sensors (the size of salt grains) and other smart waste are already being tossed into dumps without end-of-life kill processes or even a means to turn them off, says Michael Patterson, CEO of Plixer, during the RSA Security Conference exhibition.
“These are purpose-built smart devices with unique protocols, communications to their servers, and access to their administrative community,” he says. “Without governance and oversight – like Underwriter Laboratories that we have for other electrical devices – these miniature smart chips have the potential to become a real risk to cyber security.”
So concerning are these smart devices that Adi Shamir (who’s last name represents the ‘S’ in RSA encryption technology) will soon release a paper he titled “IOT Going Nuclear.” In it, he says he demonstrates how someone could sit in a hotel room, plug one infected smart light into a socket, and then spread malware from one smart light to others.
Based on density of the smart light fixtures, you could infect a whole city in minutes, turn off all the lights and hold the city ransom until the city pays to have the lights turned on, continues Shamir, a professor of computer science at the Weizmann Institute in Israel.
Ransomware holdups have already happened with other smart devices, for example in late 2016, LG television systems were hijacked by ransomware and turned into bricks until TV owners ponied up money to get them working again.
“The government should NOT allow devices that are not sufficiently secure to connect to the public internet,“ Ramir says, which drew loud applause from the crowd attending the RSA cryptographer’s panel keynote session on Tuesday.
Whitfield Diffie, co-inventor of the Diffie Hellman Key exchange back in the 70’s (who was also on the panel), says that throwing more layers of security on top of this problem is not the answer. Instead, he urges everyone to reset their strategies and improve their products with secure engineering and software coding in the first place.
“If anything like the resources being spent on interactive security – virus screening, fighting back, et cetera – were spent on the improvement on the logical functions of devices, we’d get much much better results,” says Diffie, currently a crypto export with Cryptomathic.
Will anybody heed such sage advice? Engineering and development have historically focused on ‘go-to-market’ first. Security, if considered at all, is usually an afterthought or the result of their products being hacked. This is why we’re in this mess in the first place!