In a recent article, "The Internet of Things meets disruptive technologies", I talked about some of the security implications of the IoT, noting that in coming years, threat levels will rise further as the IoT comes online and opens up even more ways for cybercriminals to exploit the weakest links in the ecosystem to move around on the network and seek financial gain.
Many of the commonly discussed threats involve theft of sensitive data, introduction of malware, and ultimately, "command and control"-style sabotage of connected, controllable devices. Of course, the threat level increases as IoT devices become more controllable and more autonomous. In these latter cases, cybercriminals can exploit vulnerabilities to remotely control IoT devices to change sensor or device behavior, to sabotage these devices, or even inflict physical damage on the surrounding environment.
Here's a few scenarios to illustrate the point:
- Connected home hacked to open the front door to thieves, open garage door to steal a car, raise heater to maximum levels to damage air conditioning system and/or household goods, turn off refrigerator, turn off sprinkler system, access personal computers, and so on.
- Connected, autonomous car or delivery vehicle sabotaged to crash via inappropriate acceleration or braking, or sent to incorrect destinations; vehicles such as trains, aircraft, drones, ships etc. similarly misdirected or sabotaged.
- Connected hospital hacked to change the route of delivery robots; functions of medical devices such as pacemakers and insulin pumps, and so on.
- Connected manufacturer hacked to interrupt functions of warehouse "picking" robots, equipment monitoring and maintenance sensors, plant control systems, supply chain activities, and so on.
- SCADA and PLC systems sabotaged in similar fashion to the Stuxnet worm that span up Iran's nuclear centrifuges.
In each case the resulting "damage" can range from nuisance issues all the way to serious issues related to potential injury or loss of life, damage to physical property, or even threats to national security.
While hacking and sabotaging the sensors and devices themselves may grab the headlines, one of the other major issues in the future will be the simple theft of detailed and sensitive data arising from the ongoing use of IoT sensors and devices - this is the halo of data that swirls around these objects.
As part of their everyday use, many IoT devices will contribute to what I call the "Internet of Behaviors". This is the detailed usage and behavioral data that's collected as individuals use various IoT devices and systems. It provides compelling insights that organizations can use to gain a better understanding of their customers in terms of their preferences, behaviors and interests.
What this means in terms of the implications for cybersecurity is that cybercriminals will now have more access to masses of sensitive data revealing consumer patterns of behavior. This may well give cybercriminals more data such as healthcare data to hold for ransom, and more data such as daily travel routines to pick the exact time and place for a physical crime. We may also see more thefts of mobile devices since many will now provide physical access to homes and offices.
Sign up for CIO Asia eNewsletters.