Attacks on physical devices and infrastructure offer a new target for cyber crime, a new opportunity for espionage and even a few front in cyber war.
Rather than exploit computers and their applications, the Internet of Things allows malicious actors to go after a whole new category of devices, from children’s toys to nuclear power equipment.
This is the context for the latest book by cryptographer and cyber security expert Bruce Schneier. In “Click Here to Kill Everybody,” Schneier paints a bleak picture of a world unprepared for the risks attached to the “Internet+” (a term coined to describe the application of the internet to conventional industries) and the clash between physical and cyber threats.
Threatpost caught up with Schneier, and asked him about his vision to limit the damage.
Threatpost: What prompted you to write “Click Here to Kill Everybody?”
Schneier: That title, alarmist as it might sound, invokes the notion of computers that can affect the physical world. That is something relatively new, but increasingly important. [The book] is about what citizens and society can do about the increased risks from physically capable, and dangerous, computing devices.
TP: How big a departure is the Internet+ or Internet of Things, from the risks we’ve faced through conventional computing and the internet?
Schneier: There’s no difference and there is a lot difference.
We can talk about vulnerabilities in software, about worms and viruses. The difference really is what the computers are doing. We are moving to a world where computers are in things, in cars, in medical devices, in appliances, in toys, in power plants.
It’s what the computers are attached to, and what they can do.
TP: It’s still relatively early days for the IoT and connected devices. Where are we on the threat curve – how many attacks have we seen?
Schneier: We see attacks all the time. Just recently, we had a major attack on Marriott Hotels. These things happen every week, every day. Attacks against cars have been largely in the lab and in demonstrations…but we’ve seen ransomware against thermostats, refrigerators sending spam.
Have we seen a death by this? Not that’s documented. Possibly if you dig down through some of the effects of the hospital DDoS and ransomware attacks you might find some. But we have not seen murder through disabling the brakes in a car. We haven’t seen massive property damage through disabling thermostats in the middle of winter. Those are still to come.
TP: So is it only a really matter of time before these threats ratchet up?
Schneier: It’s simply because computers are becoming more central in our lives. When hospitals are working well, computers are saving lives. We wouldn’t take those computers out because of the risk. That’s just ridiculous. The benefits are enormous.
But with that benefit comes the risk. And yes, people will die. Technologies that affect life kill people. In the United States, automobiles kill 40,000 people each year. It’s an enormous number, and that is the risk to an incredibly beneficial technology that we all enjoy, even if we’re not drivers.
TP: With the incidents we’ve seen so far, are we seeing strategic intent or are the attacks primarily opportunistic?
Schneier: A lot of what we are seeing is opportunistic. There are criminals, trying to make money one way or another. We are seeing government espionage attacks. Those are not causing damage, but are collecting information and prepping for any future hostilities. The US power grid has been penetrated by other countries, probably looking for vulnerabilities they could use, in the event of an unimaginable war. Presumably the US is doing the same thing to other countries.
Those sorts of cyber operations are in the minority. But they are likely to grow, as this becomes a more fruitful way of attack. It’s a way a smaller country can play in a larger playing field. And that is a worry in geopolitics right now.
TP: So fundamentally, how do attacks against the IoT differ from attacks affecting conventional IT?
Schneier: There are differences at the tech level but I don’t think they matter at the level of this conversation, the level of policy.
Attacks will take advantage of the unique properties of the technology. But at the level of risk these are computers. Vulnerabilities are discovered vulnerabilities are exploited. This is done to various degrees and to various effects, and that is what we worry about. The details of the code, the engineering, the math, I think is best left to the engineers.
TP: Nonetheless, in the book you talk about class attacks, and the way code is reused between different devices. There’s the lack of testing and a lack of upgradability in many of these devices. Is that a factor?
Schneier: Class attacks are actually very interesting. They are something that computer users are used to. The rest of the world has no idea they are coming. Let’s take cars as an example. We know how cars fail. We have a hundred years’ experience with cars and failures. Parts break once in a while and there is an ecosystem of car repairers. Cars get fixed at a steady stream. Now computers fail differently. They all work perfectly, until one day when none of them do.
That is not a mode of failure the automobile industry is used to. Several years ago there was software vulnerability in Chrysler cars and they had to recall 1.4m cars to go back to the shop and get their software upgraded.
TP: That’s quite a step change for any manufacturer. What is the industry doing – and perhaps what should it be doing?
Schneier: What they are doing is not much. A lot of these new devices are very insecure. There are exceptions, the auto industry is doing more, the medical devices industry is doing more. But when you go down to consumer goods, most of them are very insecure, very sloppily designed, and no-one seems to care. And the reason basically is that the market doesn’t reward good security.
People buy things based on price and availability, not based on security and privacy. There is a market failure: we are not incentivising good security. That speaks to the solution. We need to raise the cost of insecurity, so that companies will make their devices and services more secure.
We need to bring that to bear on software and the internet of things, because they are now dangerous.
TP: What’s the feedback been from the book so far? And are the changes you propose likely to happen?
Schneier: The feedback on the book has been surprisingly good. I make a very strong case that government involvement will incentivise innovation, make things more secure, more reliable and help the industry.
And I have been surprised at the positive reception I’ve got from groups I would expect to be very hostile. That being said, the path from here to there is slow, rocky and not going to be traversed anytime soon.
US Federal agencies in traditionally regulated areas, including cars, medical devices, airplanes and power plants, are moving into regulating the computing aspects of those industries. My worry is that it will take a disaster, some large scale loss of life, to spur government into [wider] action. That is often what it takes to get a government to do something.
TP: Do we need to nudge the industry to a point where good security is a sound business decision?
Schneier: I think “nudge” is an understatement. We need to force the industry to a point where sound security is the right thing to do, where the cost of insecurity is greater than the cost of security.
Once we do that, innovation kicks in. A lot of security technologies aren’t being deployed because the market doesn’t want to buy them. But if it’s much more expensive to be insecure, suddenly there are buyers. And when there are buyers, there is innovation, new ideas, new products, and cheaper and better ways of doing things.
The whole engine of a market economy kicks in, once we have the demand.