SA Forum is an invited essay
from experts on topical issues in science and technology.
“We live in a connected world” is a well-worn axiom. Even so, few people realize
the true extent of that interconnectivity. Networking giant Cisco Systems
estimates that by 2015 as many as 15 billion devices will be connected to the
Internet—more than double the world’s population. One forecast suggests that the
number of such devices will reach 50 billion by 2050, and that is almost
certainly an underestimate. Many of those machines will interact with each other
without our intervention, and often without our knowledge. When that happens,
the Internet of Everything will have truly arrived.
But the Internet of Everything faces significant security challenges. It will
consist of billions of devices programmed to handle multiple functions
autonomously and asynchronously. Any node could be an attack vector for the
entire system. Locating and containing a breach in such a dynamic, distributed
system may be close to impossible. This matters because an attack on the
Internet of Everything won’t simply destroy data—it will disrupt the physical
world.
The Internet of Everything has been described as a transition from “Machina
habilis” to “Machina sapiens”—from a world where machines respond only to human
commands to one in which machines, enabled with complex algorithms and adaptive
behaviors, act as intelligent agents on behalf of individuals. By carrying out
tasks ranging from optimized traffic management to monitoring the health of the
elderly to nuanced control of energy usage, the Internet of Everything should
make the world smarter and our lives easier. It will also make it much easier
for hackers to cause real-world damage.
We’ve already seen this sort of attack happen. The first came in 2010, when the
Stuxnet virus targeted the systems that controlled centrifuges used in Iran’s
nuclear program, causing them to spin destructively out of control. Stuxnet,
which was probably a joint U.S.–Israeli venture, quickly created blowback. In
August 2012 an attack on Saudi Aramco, which supplies about one tenth of the
world’s oil, destroyed or compromised some 30,000 computers and 2,000 servers.
The attack, which almost certainly originated in Iran, was intended to stop
Aramco’s oil production. Although the hackers failed, former CIA director Leon
Panetta described the attack as “probably the most destructive attack that the
private sector has seen to date.”
The Internet of Everything exponentially increases the potential for physically
destructive cyber attacks. A 2010 paper on the security and privacy of wireless
tire-pressure monitoring systems showed that hackers could easily intercept and
decode a system’s sensor messages, triggering false alarms or spoof warnings
that could potentially harm the driver. More recent research funded by the
Defense Advanced Research Projects Agency (DARPA) has demonstrated the ease with
which almost all the computerized systems in today’s cars—including the
steering, accelerator and brakes—can be hijacked. Another researcher discovered
that a system used to operate an electronic medicine cabinet for hospital
prescriptions could easily be hacked, thanks to a software flaw. The potential
for remote hacking of smart objects via new and novel vectors also exists. For
example, Sandia National Laboratories is developing “radar responsive” tags,
about the size of the stick-on RFID tags used in retailing. The tags remain
dormant until awakened by a radar pulse from as far as 19 kilometers away—and
then indicate their location. The potential for abuse is not hard to envision.