The FDA issues a warning that pacemakers and defibrillators might be “vulnerable to cybersecurity intrusions and exploits.” Meanwhile, hackers infiltrate home security cameras to get their hands on users’ private information, and companies like Samsung start building security systems into microwaves. It’s not science fiction; it’s the Internet of Things (IoT).
What is the IoT? In a nutshell, it’s any system that 1) has an IP address, and 2) can transfer data over a network without requiring human-to-human or human-to-computer interaction. The system might consist of computing devices, machines, or objects: for example, a person with a heart monitor that detects irregular beats and delivers shocks to correct them; a fridge that tells you when you’re running low on milk; or a car with tire pressure sensors.
Experts believe that by 2020, the IoT will consist of about 50 billion objects – and we’re closing in on that number quickly. We already have “smart” hairbrushes (they can detect how much pressure you’re applying to your scalp), trash cans, showerheads (they let you turn on your shower from bed so the water will be warm by the time you get there), patio umbrellas, and windows. Lest you think there isn’t demand for these products, about 50% of Americans have a smart device in their homes. That number will go up to 75% by 2019.
New tools for hackers and fraudsters
This rapid growth in smart tech may be causing a tectonic shift in the fraud landscape. Now that the shower communicates with your phone and the microwave hooks up to your wi-fi, hackers have new tools in their arsenals. And if they can access something as important as a pacemaker or as benign as a microwave, how does that change the nature of fraud? How can we guard against it? What does it all mean for consumers?
Researchers, companies, and fraudsters are starting to ask the same questions. In August of last year, the Def Con security conference hosted an IoT hacking challenge to explore security vulnerabilities in smart tech. Appliance manufacturers were left stunned when a security company called Pen Test Partners hacked a Samsung smart refrigerator. The smart refrigerator integrates with the user’s Gmail calendar using SSL – but, as the hackers discovered, the fridge doesn’t validate SSL certificates. The loophole leaves consumers’ usernames and passwords unguarded. And unguarded login credentials are exactly what fraudsters use to perpetuate account takeover.
The security concerns aren’t limited to household appliances. Last year, security researchers at MedSec Holdings claimed to have found security holes in pacemakers and defibrillators manufactured by St. Jude Medical. In addition to correcting cardiac irregularities, the devices are designed to transmit a patient’s biometric data to his or her physician. The hackers figured out how to exploit these conduits to carry out two attacks: one that crashes the cardiac devices, and another that drains the devices’ batteries. Their methods were allegedly so simple that they were replicated by a group with no background in cybersecurity.
And in 2015, hackers tapped into and killed the transmission of a 2014 Jeep Cherokee that was being driven down a St. Louis freeway. The hackers developed software that allowed them to send commands through a Jeep’s entertainment system to its dashboard functions, steering, transmissions, and brakes. Using a laptop miles away from their target, they could control thousands of Jeeps by opening up an internet browser.
Companies scramble to secure IoT devices
Many of these security loopholes seem to exist simply because companies never thought to close them. While techniques for hacking into computers or phones is decades old, the idea of controlling a car or a fridge via the internet is brand new. Until recently, it was unimaginable. For a company that makes medical devices or household appliances, quickly responding to the prospect of a cyber attack isn’t as simple as tweaking a password or two. In an interview with Digital Engineering, Jeff Shiner, director of IoT Solutions at Micron Technology, says that security poses a major challenge for IoT designers. “[C]ritical security elements on clients or nodes aren’t currently native to these platforms and in most cases can be very costly to implement,” he notes. “In addition to the complexity of redesign, the approach can be fairly fragmented between different software and hardware vendors.”
That means Cadillac and St. Jude (among numerous others) are having to build infrastructure from the ground up, to hire product cybersecurity teams, and to budget for personnel and equipment they never thought they’d need. At a Manhattan cybersecurity conference, Anthony Grieco, senior director of security and trust at Cisco, commented that the IoT poses a serious threat to consumer safety. Cisco and other business are redirecting their resources to hire fraud analysts – and to train analysts to combat this specific brand of fraud. But whether (and how quickly) they can secure every IoT device they make –to say nothing of the IoT devices that the company itself uses – remains in question.
Sensitive data at risk
One of the major risks of insecure IoT devices is data breaches. With security of smart devices lagging, hackers will have more entry points to potentially access credit card numbers, login credentials, and personal information. They may also be able to access richer information than other sites provide – like precise geolocation, health information, and behavior data. All of this means that fraudsters will have even more of the ingredients they need to perpetuate payment fraud, account takeover, and identity theft.
The potential for IoT to revolutionize how we live, work, and interact with technology is tremendous. However, we must continue to be thoughtful about how we embrace these new data-rich technologies. And online businesses must continue to vigilant about how they protect their users and customers. More data flowing brings more opportunities – and more risks. However, fraud prevention technologies are constantly improving and adapting. And with the speed of innovation in recent years, there might be cause for optimism.