Hackers sound alarm about Internet of Things

A hacker with a smartphone can unlock your front door. Your refrigerator becomes infected with a virus that launches cyber attacks against activists in Bahrain. Criminals and intelligence agencies grab data from your home thermostat to plan robberies or track your movements.

According to computer-security researchers, this is the troubling future of the Internet of Things, the term for an all-connected world where appliances like thermostats, health-tracking wristbands, smart cars and medical devices communicate with people and each other through the Internet. Many of these products are already on the market, and over the next decade, they are expected to become dramatically more commonplace.

For consumers, the Internet of Things will allow high-tech convenience that not long ago seemed like science fiction — a car’s GPS automatically turning on the air conditioner in your house as you drive home from work, for example. But security experts see a dystopian nightmare that is quickly becoming reality. A study released last week by Hewlett Packard concluded that 70 percent of Internet of Things devices contain serious vulnerabilities. Experts say it’s the latest evidence that our dependence on Internet-connected technology is outpacing our ability to secure it.

“You’re taking things that weren’t connected and weren’t vulnerable and putting vulnerability and connectivity on all of them,” says Joshua Corman, a security strategist and the chief technology officer at the software firm Sonatype. “So if the Internet is a perfect surveillance machine, what happens with the Internet of Things? It’s just gonna take that to the next order of magnitude.”

Over the past year, Corman’s security advocacy group, I Am the Cavalry, has been trying to navigate this storm of connectivity not by finding and fixing bugs themselves but by persuading people in industry and government to start viewing computer security as a public safety issue. The group says it has attracted a few thousand supporters since its inception, but it functions more like a philosophical movement than a lobbyist group. Its goal is to spark a kind of spiritual renaissance for “white-hat” hacking — the practice of researchers finding vulnerabilities in order to improve security for all — pushing an affirmative security message in Washington, D.C., and Silicon Valley that helps translate critical research into safer technology for consumers.

The Internet of Things is one of the biggest topics the security community is grappling with this week as thousands of hackers head to Las Vegas for Def Con and its corporate sister event, Black Hat. The twin security conferences will feature talks on everything from defending your car against hackers to commandeering satellite-communications equipment aboard commercial airliners to tinkering with the electronic amenities of a luxury hotel.

Computer-security experts have been warning the public about cyberthreats for decades, using conferences like Black Hat and Def Con to publicize new vulnerabilities in systems and software so that their security can be patched and improved. The process has never been simple. Sometimes researchers face legal threats or risk running afoul of the law, due in part to the 1986 cybercrime legislation known as the Computer Fraud and Abuse Act (CFAA), whose elastic definitions of “unauthorized access” have given prosecutors wide latitude to pursue perpetrators for relatively innocuous acts like automated website scanning. More often, the computer threats they expose are downplayed or simply ignored.

Last year, Defense Department-funded researchers Charlie Miller and Chris Valasek revealed how a hacker can enter commands directly into a car’s digital control system — disabling the brakes or turning the steering wheel, for instance. The duo reported new vulnerabilities this past week in the 2015 Cadillac Escalade and 2014 Jeep Cherokee, saying both cars can be hacked via wireless Bluetooth, which runs on the same network as the vehicles’ braking, steering and engine-control systems. While some in the auto industry have responded with concern, many manufacturers have been silent or tried to downplay the findings.

Corman sees a security talent pool that has been overly focused on protecting “highly replaceable credit card data” — referencing the data breach that compromised 70 million Target customers last year — while little is done to address threats to life and limb from the connected devices being placed in homes, hospitals and human bodies, often with no security at all.

An alarming example came earlier this year when a researcher discovered that hackers could remotely gain control of medical devices including defibrillators, X-ray machines and drug-infusion pumps. Electronic door locks, home-security systems and other devices that are now being connected to the Internet have also been shown to suffer from what researcher Sarah Zatko calls “security-afterthought syndrome,” a tendency among companies to ship first and ask digital-safety questions later.

“We’re trying to get to a point where the people designing, building and deploying digital infrastructure are more conscientious about the impact on human life,” says Corman.

One solution proposed during the Cavalry’s panel at the Hackers on Planet Earth (HOPE) conference last month in New York City is increased legal liability for companies that deploy software to consumers. It would be a significant change — currently, the end-user license agreements consumers endorse before gaining access to software typically absolve companies of any responsibility for what happens as a result.

One of the panelists, Andrea Matwyshyn, a law professor at the University of Pennsylvania’s Wharton School, noted the tension between security and innovation — the latter normally running roughshod over the former.

“There will inevitably be cases dealing with code malfunctioning in potentially deadly items such as a car,” she said. “On the one hand we need to have responsible code, but on the other hand we also need to be conscious of the space that creative people need to build new products and offer us the next generation of technology.”

In Washington, cybersecurity fears have been manifested in the form of controversial bills like the Cyber Intelligence Sharing and Protection Act and its most recent incarnation, the Cybersecurity Information Sharing Act, which propose protecting critical infrastructure (like power grids and nuclear facilities) by creating intelligence-sharing arrangements between private companies and the government. Some lawmakers have separately proposed expanding the CFAA to catch more cybercriminals with looser definitions and harsher punishments.

Privacy-minded hackers and civil-liberties advocates have loudly condemned those efforts, warning that they will expand the government’s collection of Americans’ private data and chill legitimate research while providing only a theoretical security benefit. But people familiar with the discussions say that many in Congress still don’t understand their objections.

The disconnect has partly to do with long-standing grievances between government and the hacking crowd, no doubt intensified by the disclosure of the National Security Agency's mass-surveillance programs. A few days before last year’s Def Con, founder Jeff Moss asked that federal agents not attend the conference, citing high tensions that had resulted from Edward Snowden’s revelations.

Nevertheless, members of the Cavalry say engaging with people in Washington is key to making sure that cybersecurity policy protects the public. Their response has been to form a community of technical experts ready and willing to use their skills to help lawmakers, innovators and software engineers make the next generation of connected devices safe for consumers.

The mission is still in its infancy, but Corman says that headway has been made. He describes another group of researchers that had been demanding protection from the CFAA, unsuccessfully. But when the Cavalry emphasized the greater need for public safety in consumer technology, Congress and staffers were much more receptive, he says.

“Instead of trying to shout at them or preach to them, you’ve got to get them to invite you into that conversation,” said Cavalry member Beau Woods during the HOPE panel. “I think that it has to start with education. ... Otherwise you’re just going to be butting heads with each other, and that’s clearly not effective.”