The idea is horrifying. You’re at the hospital, hooked up to machines that are there to preserve your life and maintain your comfort as you fight off whatever illness brought you there. Suddenly, the heart monitor alerts the medical staff that you are having a heart attack.
Getting you from the ER to the operating room quickly means the difference between life and death. Except, the elevators are down because a hacker across the world managed to get into the hospital’s network by way of an insecure IoT device.
This is a nightmare scenario. It’s just one of many possible cases that security expert Bruce Schneier warned are in our future if we don’t take steps to secure and better regulate the emerging Internet of Things.
The proliferation of cheap “things” in IoT is the issue
“Everything is now a computer,” Schneier said during a November hearing by the House Energy and Commerce Committee. “Our refrigerator is a computer that keeps things cold. Your car is not a mechanical device with computers, but a computer with four wheels and an engine.”
Schneier’s opening statement, which went down several key points of concern from a security perspective, highlighted the growing problem that comes with a rapidly-expanding network of connected devices. Among these points was the truth that most individuals won’t replace or update the software on these devices as frequently as we do our smartphones or desktop computers.
A large portion of these connected devices is made cheaply by small teams. Security updates and software patches are rare for smaller, less complicated IoT devices. Even the most popular IoT solutions produced by reputable brands have been a frequent target for exploitation.
“A lot of them cannot be patched. Those DVRs. They can be vulnerable until someone throws them away.” Schneier said, “Your DVR lasts for five years, your car for 10, your refrigerator for 25. I’m going to replace my thermostat approximately never. The market really can’t fix this. The buyer and seller don’t care.”
Watching hacked Philip's Hue lights at #BlackHat2016 pic.twitter.com/gHeBUVLCBG
— Friend-Entity Max Eddy (he/him) 🐀 (@wmaxeddy) August 4, 2016
At the Black Hat conference earlier this year, Philips Hue smart bulbs were hijacked in real time during a panel. This shed light — no pun intended — on a very real situation affecting the Internet of Things as it exists today. Many of these devices are built for convenience, not security.
As cities look to connect more of their vital infrastructure to this virtual web of connected devices, including security cameras, street lights, and roadways, we have to be ever mindful of the security risks that come with them. For networks that contain life-critical systems such as hospitals, this is absolutely critical.