Just because IBM suffered a marketing hiccup doesn’t mean I’ve forgotten about doing 2016 predictions. This one is simple — a confluence of anti-hacking paranoia combined with the Internet of Things (IoT), which will lead to any number of really, really bad events in 2016.
Remember how the CIA or the NSA or whatever agency it was hacked a few years ago the Iranian nuclear centrifuges making enriched uranium? The centrifuges updated their software over the Internet, loading doctored code that eventually caused the machines to overspeed and shake themselves to pieces, putting the Iranian nuclear program months or years behind.
Now imagine much the same thing happening to your Internet-connected thermostat, baby monitor, or car. We’ve already seen hacking demonstrations kill cars as they drive down the street. Well there will be lots more where that came from.
I’m sure we’ll see one or more really serious IoT data security breaches with profound negative effects in 2016, destroying property and possibly costing lives. This is unlikely to be the work of script kiddies and more likely to be state-sponsored.
The cyber war has already begun.
This is not to say we should abandon the IoT or the Internet (it’s already too late for either) but that hardening and making more resilient this new networking segment is vitally important, as is finding ways to monitor the IoT and quickly recover from attacks.
One thing is for sure: IoT data security is going to become a huge business over the coming years — probably bigger than the IoT, itself.
One Jim Stone claims the very same stuxnet caused Fukushima.
I dismissed him as a crank until he claimed a lot of facts about the recent Haj stampede that was initially denied but later proved to be true…
A computer virus caused the stampeded? Do tell!
StuxNet caused an earthquake and tsunami? The number of mistakes made in the design, construction, and operation of Fukushima is huge, on an epic scale. I have a close personal friend who is an expert in Nuclear Power plant safety. He shared with me stories of members of the Japanese nuclear industry at industry meetings and conferences. In designing safe systems one begins by asking some very basic questions. If this piece of equipment fails, what happens? You then improve the design to tolerate the failure safely. In these discussions the Japanese engineers could not get past the concept of equipment failing. They thought they could build perfect equipment that would not fail. Well they may have designed and built some really great equipment for Fukushima, and it worked perfectly right up the moment it was destroyed by a tsunami. Oops. The world now has to deal with another nuclear disaster…
.
The line from Spiderman “with great power comes great responsibility” applies to technology, its design and use. For as long as engineering has existed the profession has had to worry about failure, safety, and the good of society. Sometimes tragically the awareness happens after a tragedy. The IoT is our next great challenge. Will we build safety and security into it, or will it happen after the fact after mistakes are made?
qv. the Tay Bridge disaster. Compare the original Tay Bridge with the Forth railway bridge, begun three years later, and designed to assure the public of its safety. A lot of people had to die horribly for the lesson to be learned.
Nyeah not this year.
It would become problem if and only if IoT has already deployed massively.
But… where is it?
Likely already in traffic lights/cameras, airport terminals, security checkpoints where card readers/cameras/gates are, refrigeration units in most stores/warehouses, semi trucks (along w/ GPS equip), police car equipment, baby monitors/toys (see Vtech hacking stuff recently), etc.
.
It’s all over, and you probably don’t even realize it.
I would assume the IoT is in smart meters that utility companies use to bill users instead of having to pay someone to manually read power and gas meters.
.
I’ve had a smart meter for years now and they still read it manually. This may change as such meters reach far more wide-spread deployment, but various technological glitches combined with unexpected (and sometimes profound) customer resistance have dramatically slowed down that process.
.
Duke Energy has been hawking the internet connected smart thermostats for over a year now, the idea being that you can get one for free –or even subsidized– if you allow Duke to occasionally control the thermostat during peak periods.
.
Given that I have a heat pump which loses efficiency whenever the auxilary heat kicks in, a smart thermostat isn’t really an option anyway. But an internet connected thermostat? Not needed at all, thankyouverymuch.
I’d say it’s too early for this in 2016. Devices that fall under the umbrella of the “Internet of Things” (dumb term, IMHO; really it’s just a buzword-ified version of the word “networked”) aren’t yet widely deployed enough. Even the ones that are deployed won’t do much more than cause some frustration or annoyance if they’re hacked. “Oh no, my thermostat is acting strange.” “Damn, my utility bill is unbelievable! Someone must have hacked the smart meter on my house!”
.
FWIW, the smart meter for water on my house was giving inaccurate readings for much of last year, making my water bill 8 times as high as it should be. So I would go out and read the meter myself every month, taking a photo of it with my phone’s camera, and complain to the water company. They’d send out a person who’d read my meter, and adjust my bill. At some point they managed to fix the problem. This is the kind and degree of problem people should expect if their smart meters for water, gas, or electricity get hacked. There’s very little value in hacking these things with malicious intent. The only result will be that the utility company will have to send out a person to read the meter manually. In the vast majority of cases it’s still going to be a regular old analog device with a gauge on it that can still be read manually, with an additional box wired to it that’s networked to send the data back to the utility.
I agree with your timeline. However, I am not so worried about the inconvenience of a bad meter reading as I am the regulatory downside…eventually I expect our government authorities to require utilities to report smart meter readings for water, gas, and electricity usage to find those who don’t comply with green economy regulations. Those wi-fi enabled appliances you configured for maintenance notifications can also provide fairly detailed information on the habits of your household, and they may even have kill switches that could be used to limit usage (such as limiting electric dryer use to off-peak hours).
It doesn’t take smart meters to do any of what you say apart from specific day-and-time monitoring. Also, they already have tiers of service, and charge you more if you go over the average range of service for households of your size. So they’ve got the data already, and have for decades. This is nothing new.
@BJ has it right, farther down page. The danger from a hacked smart water meter isn’t in bad or missing readings, it’s in using that device as a stepping stone to gain control of others.
My smart water meter isn’t networked to anything in my house. Neither are the smart meters on my gas and electric utilities. I expect the same will be true for the vast majority of people who have smart meters. So what are they going to be used “as a stepping stone to gain control” of, other than a neighbor’s smart meters?
For those doubting the possible impact, I’ll just add that we more than one Sony “smart” tv at home, which is connected to the internet to be able to play youtube etc.. and I can promise that all hell will break loose in the family when/once some hacker finds a way to damage the tv, so that the kids can’t watch cartoons any more…
Oh no, your kids might have to actually (gasp) *go outside* to play! Or maybe even… read a book! Unthinkable! The horror… the horror… 😉
More like using the smart TV’s data to hack your Netflix or Hulu or Steam account, and from there gain access to your credit card.
DVR snaps stills from CCTV surveillance and sends them to China
https://nakedsecurity.sophos.com/2016/02/19/dvr-snaps-stills-from-cctv-surveillance-and-sends-them-to-china/
Bob,
I think Stuxnet got onto the centrifuge controllers via an infected USB stick. As I understand it they were air gapped from the rest of the world.
Mark
That’s how I remember the incident as well. They had the PLCs insulated from the internet so StuxNet was developed to do its job via USB.
Bob needs the story to fit his narrative, just like the Target hack was caused by outsourcing.
It wasn’t just USB sticks, but likely direct breakins to steal Windows certificates held by hardware manufacturers.
I thought they were air-gapped, hence USB.
Wrong. IoT was already a nightmare in 2015. Just like any other unattended connected computer. It’d a worse nightmare just because of the number of connected things.
I think it all comes down to what constitutes a “really serious IoT data security breach”. Hacking my TV (which is, in fact, connected to the internet and does automated downloads) is a somewhat pricey inconvenience but would that be a “really serious” breach? Getting my viewing habits or bricking my TV is not something I’d consider a major issue as much as I’d prefer it didn’t happen.
Now, hacking my car so that it so that the adaptive cruise control causes an accident, that would be serious. Hacking hundreds at the same time, that would be really serious.
If you have your TV or a gaming console store a subscription service’s password, a hacker can then gain access to your credit card info via those accounts.
.
Or they’d piggyback on your account, getting access to free streaming without your knowledge or consent.
One thing to keep in mind with respect to IoT is that one of the biggest initial areas that will see value is within Manufacturing and Logistics. The larger concerns about security breaches are within large scale manufacturing and/or logistics operations (essentially corporate espionage) and not tied to consumer IoT usage.
Industrial IoT is called SCADA, and is already known for abysmal practices, relying primarily on security by obscurity.
Wait, I worked for an internet of things flop. Yes our security was an afterthought. We spent all our time just trying to get things to work and keep the servers from falling over.
How can you have a security nightmare when no one is buying? The number of thermostats installed in microscopic compared to the world wide population.
IoT is over hyped by the semi vendors hoping for a big new market to continue growth when the industry is mature. The time it will take to get smart devices into factories and homes is a normal replacement cycle. Not one company has given a compelling reason to rip out and replace industrial equipment, TVs or appliances. This is not like a PC or smart phone, where there was a 10x difference that made the upgrade worth while.
Search for IoT and all you find is articles like this “security” and “you will be hacked”. All the security talk is killing the goose before it can lay any eggs. Consumers won’t buy if they are frightened.
Oops, I dumped my IoT marketing idea. “We did security right, guaranteed.” Bam, that will sell.
I don’t do any IoT stuff. first, it’s a fad with lots of install/maintenance overhead (oh, I have to open my wifi and my DSL router to port 666, but only for the DimBulb Controller, and I have to limit the address bank for that system…) second, it’s five times the price. I have not won the $1.5 billion lottery yet. third, if I’m the only one in the house that can make the VCR play on the big screen because the Harmony remote only has 6 preset magic functions, do I want the thermostat and the lights and the door locks and the bread maker and the vegetable crispers put behind a Wall Of Technocrats?
Captain, this is illogical.
I think a more general prediction is that IT security in general will become a nightmare (if it isn’t already). One of my primary job responsibilities is security. Not so much keeping the bad guys out, but rather keeping our “secret sauce” digital IP secure. We have measures in place that many would consider extreme: just one example, separate PCs for internal work and Internet connections (they can’t talk to each other); USB mass storage is disabled (both at the registry and domain policy levels); and the PCs are in locked steel cages. And that’s just the start. We’ve had people try to steal code on several occasions, so while it often feels like paranoia/overkill, experience shows that if we don’t do it, IP will be stolen. But at the same time, I see on sites like ServerFault, when I search or ask about how to do certain things, without fail, I get responses like “Why would you want to do THAT? Don’t you trust your users/admins?” I’ve called consultants asking for help with some of these issues, and can’t find people with the background and expertise to do what we want. If my experience is at all representative of the prevailing attitudes with regards to IT security, then attacks, breaches, leaks, compromises, etc are every bit as sure as the sun rising tomorrow.
Matt, more likely your company would be more profitable if you switched to security consulting.
Join the club.
.
For every time I hear that we’re too paranoid about security, I’ve seen software packages from supposedly mature companies that still don’t use SSH, fer pete’s sake. And then we get people asking if they can use FTP to move files around, because SFTP or SCP isn’t available for the software they have.
.
This is pretty basic stuff, but even after all of the data breaches the past several years, people are still stuck in the “the internet is so big it won’t happen to me” strategy.
Good prediction. Good challenge. Does everything made need access to the Internet? Probably not. Should we have the ability to (very easily) control the interaction between IoT products and the Internet? I think yes. How do we make this happen before we have yet another massive problem on our hands?
It’s not so much that hackers will hack your thermostat in order to change your heat settings, they’ll use it as a vector to gain access to the rest of your network.
https://www.theregister.co.uk/2016/01/12/ring_doorbell_reveals_wifi_credentials/
“Security researchers have discovered a glaring security hole that exposes the home network password of users of a Wi-Fi-enabled video doorbell”
When I built a house 3 years ago I put something like 90 CAT5/6 runs, always with at least 2 going to every point. I was laughed at back then by the WiFi crowd, but apart from the security aspect, twisted pairs allow low voltage power routing. And yes, I have a block of 20mm fuses with one dedicated for every wire used as a power run.
The idea of “connected” home appliances has been around in one form or another for a long time, and, as is still true of the IoT iteration of it, almost all of the thought and worry has gone to connection, not protection.
And Bruce Schneier chimes in (again) on the same topic…
.
https://www.schneier.com/blog/archives/2016/01/the_internet_of.html
This is a softball prediction. It’s not hard to predict the present!
I’m going to go out on a limb and predict that in 2016, my mother will choose weak passwords.
Hacking will occur, but the one universal consequence of this is that everything will have a physical power off button.
Physical on/off switches. That’s a wish not a prediction, too much like common sense (but a wish I deeply share!).
There’s always the power plug or the battery.
Just a technical point – the target systems for Stuxnet were not connected to the Internet at all and the malware was deployed by USB.
It is a technicality but if you consider the logistics of getting a “spy” to load malware onto an industrial system in a nuclear enrichment plant – it adds something to the story.
This is actually a very simple prediction. It is like saying that “hoverboards” will burn down houses in 2016 and be banned in certain places. We know that they are unsafe, we know that corners were cut, the coolness factor made everyone ignore the risks of unsafe batteries, we know that statistically somewhere somehow one of these devices will cause a fire that will burn down a house. We know that the government will then start to look more closely at these devices.
It is an analogy but pretty close to the IoT case. Linux servers on a chip are about $5 so this means that they can be added to anything. No extra money will be allocated for “security” and these will be dumped on consumers who will be cost conscious. These will be plentiful and easily hackable.
The one thing that will protect the world from this army of devices is the one thing that protects us now – NAT. These little devices will mostly sit on “private” (RFC1918) networks and so will be difficult to get to. Look out for CSRF, spoofing and trojan horse attacks – essentially hacking humans in order to hack their things.
not if the little IoT thing comes with the nasty habit of wanting to phone “home” for various reasons, as it seems to be the case for most of the network enabled devices today. It is becoming more and more difficult to find devices that are not “cloud” enabled and whose functionality is not “cloud” dependent. Ironically it’s the NAT that pushes for that need, as the manufacturers provide their “cloud” to make said devices easier to use.
Bob is right, the vulnerability of the internet of things will only grow. This will be especially problematic for large things, infrastructure and SCADA systems. So, having invented the internet, it’s time to invent a uninet. Real private networks, not virtual. And to support them, new technology is needed. Protocols, hardware and network designs that cannot work with the internet must be invented. Systems that flag every leakage into or out of the network to any other system are required. Might sound impossible, but in theory quantum encryption would permit just that. Probably not in 2016, but sooner rather than much later.
Lots of great comments here!
I do loves me some hardwired networks.
Just don’t connect all these things to the Internet?
Why the thermostat? What does the Internet add to that?
Well, apart from the ability to download patches to protect it from being hacked over… the Internet.
You can get pretty much all the benefits of these things without the creepiness/vulnerabilities using a cheap local processor, which it’s got anyway to handle the comms.
It’s usually due to the fact that most said products are thrown to the market half baked and require constant updates until (some) of the marketed functionality is actually delivered. And also because it provides the manufacturer with “feedback” that he can further sell for extra revenue.
A few days ago a friend told me about an idea for an IoT safety product. It is a very good idea. He should have the chance of pursuing his dream and turning it into a viable product, so I won’t disclose his idea here. Trust me its a really good idea!
.
Ten years ago it would have been very hard and very expensive to take this idea and turn it into working prototype. Today everything my friend needs can be found in a $180 Raspberry Pi development kit. In a few months he should be able to develop a working prototype. He will be able to show it off, get investment funds, and commercialize it. I can see every household owning 1 or 2 of these devices someday.
.
The Raspberry Pi is a great development platform. I have a tremendous respect for the Foundation and their accomplishments. In the Raspberry Pi and its large eco-system of companion products are the tools to build great IoT products. The problem is this technology is not very secure. The cyber bad guys will have no problem hacking into them. The Raspberry Pi Foundation should not be expected to produce and support commercial grade security hardened software. If anyone mass produces a device based on the standard Raspberry Pi software, we’ll have another security risk.
.
It is important we understand the potential. The Raspberry Pi gang are selling millions of units. They are an amazing success story. If you or I had a good idea, the economy of scale exists whereby we could produce 10,000 or 100,000 units fast and easy. An idea today could be on store shelves by summer. We can expect sudden explosions of IoT products soon and if they aren’t designed well, we’ll have sudden explosions of cyber hacking of them shortly thereafter.
Chip vendors are way ahead of rPi. All the major vendors are shipping IoT SoCs and many standards bodies have WGs. The frightening thing, as some have written here, is that security is not mandatory.
Not much of a prediction, Bob. Security boffins have had ulcers over this for a while.
Maybe the movie “Maximum Overdrive” can still happen. Stephen King was just ahead of the IoT.
For the record I think in some cases web enabled devices make sense, but in many it’s just not a consumer need of value add. On the high point you really don’t need to give your toaster the password to your WiFi.
Not hacking I guess, but today’s news says that NEXT thermostats have died do to a software update which I presume was done over the internet.
it is still possible in the case of the NeXT thermostat to go downstairs (or to the attic or the crawlspace, or wherever the physical furnace is located) with a clip lead or a piece of wire. there will be two wires to the thermostat. clip across them if you get cold, and the furnace will turn on. trick is, you have to take the wire jumper off again when you are warm. furnaces have a safety cutoff if it gets too hot at the plenum, due to the possibility of burning down the house and stuff. that takes a while to cool off, and meanwhile, the house will get rather chilly.
OR… put the old thermostat back on, and Google will not spy on how you respond to the temperature any more, and their data to be sold in aggregate to folks who want to sell cold-related stuff will become mostly worthless.
I’ve taken a couple of IoT security webinars, and in both cases the presenter estimated the number of developers actually using good practices as under 10%. Bob’s right, until something seriously crashes, IoT security will be a second (or third, or last) thought.
Tangentially related to Internet of Things, Cloud. CPU bugs are not very common and they are hard to invoke, but they do exist, and of course become more frequent as CPUs become more complicated.
Researchers at Google found a CPU bug that would allow a VM client to put the host CPU’s microcode into an infinite loop. This could DoS everything in a cloud service.
Here is more information: http://danluu.com/cpu-bugs/
Lemme guess. Your next prediction will be that porn is going to be popular this year.
HA! Sure, but which type of porn? Branding is key, as is the price point. Porn has always been ahead of the curve with technology. Look at how they’re leveraging advanced robotics for example.
Seriously though, the next few years of the decade should see an enhanced focus on these things:
Security Considerations
ID Protection
Payment Systems
Stemming the flow of every inanimate object becoming “connected”. There’s good reason fridges should remain dumb. There’s also a good reason people should try to remain smart.
[…] sure we’ll see one or more really serious IoT data security breaches with profound negative effects in 2016, destroying property and possibly costing lives. This is […]
Güvenebileceğiniz bir kurum aramak en doğal hakkınız araştırın görün ve karar verin. Bakırköy resim kursu olarak en büyük referanslarımız bünyemizde yetişmiş olan sanatçıların şuan sektörün en tanınmışları arasında olması ve sergileriyle hedef kitleyi yakalaması ayrıca üniversite hocamlarımızın referansı olmamız kanıt değil mi ?
Yinede araştırın fakat biz burdayız haberiniz olsun…
We are hearing lot of sound regarding IoT. But it is true that Internet of Things is changing.
A full scale IoT can only happen when IPv6 is ubiquitous. There aren’t enough IP addresses to do it using IPv4.
NAT