By Brian Witten, Sr Director, IoT Security, Symantec
Looking back on 2014, it's hard not to notice how much more Internet connected people have become. Information about us is collected on a growing number of devices and apps, and we're relying more and more on automation. As a security expert in this connected world, I thought it might be a good time to reflect on some of the consequences of failing to fully address security in the Internet of Things (IoT) with a list of the top 10 IoT Security Mishaps from 2014
10. You did what to my car?
If you haven't yet seen the video of a passenger disabling the brakes from the backseat, start there. True, in the video the hackers had a physical connection to an "in car" data port. For better or worse, lots of cars now have wireless access, sometimes even over the Internet. Fortunately, in 2014, many automakers are now taking security much more seriously.
9. High tech hitting the ATM
Ever imagine walking to an ATM, and pulling out cash, without the cash coming out of your account? Of course, the malware behind this type of scam was discovered months earlier.
8. Low tech hitting the ATM
Of course, not all criminals are malware experts, so some just hold the shutter down at the right time.
7. Point of Sale surprises
Very sadly, dozens of retailers were hit by "Point of Sale" (POS) terminal breaches this year as the very devices that we use for "checkout" at stores were compromised at scale. Very sadly, many of these breaches could have been prevented through proper deployment of reputation-based and embedded security technologies. If you're concerned about your POS terminals, please contact us to be sure that your POS vendor is embedding appropriate security. We're making such technologies easier to deploy at scale, and also quickly supporting new platforms. We're not alone in that.
6. Heartbleed hits hospital networks
5. Even oil rigs get hacked
In 2013, much of the public began to realize that security truly "industrial" systems wasn't quite what they hoped as a number of researchers began demonstrating the vulnerabilities. Perhaps more importantly, the UK estimated that such cyberattacks against oil & gas infrastructure, including oil rigs and shipping vessels, already cost UK oil & gas companies more than a half billion dollars per year.
4. Leave my kids alone
Stories like this make people want to scream, "Stay out of our bedrooms!" However, unless we lock our doors and ensure security is built into those devices, criminals will be criminals.
3. Stop following me
Of course, we've seen home cameras hacked for years, with many other examples and the Shodan search engine even makes it easier to search for such vulnerable or open cameras. However, this year the "creepiness" factor seemed to get scaled up to city-scale as some sites can now display people's mobile location on a map in real time by remotely tracking their mobile device, tweets, and other internet usage.
2. Power Strip or PLC
Of course, years ago Stuxnet had code to muck with the Programmable Logic Controllers (PLC) of nuclear enrichment centrifuge. Not many industries are in the nuclear enrichment business, but countless industries depend on these very (very) important "little" things known as "PLC". A few years ago we saw a hardware hack where a malicious PLC could masquerade as a power strip, but this year it got easier as people began to demo shutting down process control networks via text message for roughly $400 in hardware.
1. Farewell Trans-Siberian Pipeline
A three kiloton explosion of oil & gas resulted when "pump controllers" for Russia's Trans-Siberian pipeline were maliciously programmed to accelerate the oil & gas to unsafe speeds. Surprisingly, a US Central Intelligence Agency Website claims responsibility. Fortunately, it was decades ago, long before Stuxnet.
True, some of these stories are not "new" in 2014, so this is only an "update" to a short list of ten. However, if you want the future to be better, not worse, join the discussion with #IIConsortium on Twitter or on our LinkedIn page and learn more about the IIC at www.iiconsortium.org.