The operational and commercial opportunities offered by the Internet of Things (IoT) is resulting in the proliferation of consumer, government, and institutional devices which are internet-enabled, often inter-connected, and independently “intelligent”, to the extent that they may be observant, communicative, self-monitoring, and self-regulating.
IoT and Terrorism – some interesting facts:
Current estimates point to the active deployment of over six billion IoT devices, ranging from tags and monitoring circuitry on consumer goods to devices regulating the distribution and quality of urban infrastructure and utilities, through to sophisticated components deployed in government, military, and intelligence circles.
By 2020, it’s estimated that there could be anything from 20 billion to 50 billion internet-connected devices in the world. And with the current state of the technology displaying a worrying trend towards the use of low-cost generic components and an almost universal lack of security awareness or resistance to attack, the potential for IoT infrastructure and devices to become tools in the work of terrorism is looking like less like a dystopian Sci-Fi scenario and more like an increasing probability every day.
IoT and Terrorism – What Our Protectors Say
Internationally, there’s a fairly broad consensus that the new breeds of “smart, connected devices” have as much potential to put us in danger as they do to make our lives more pleasurable or convenient.
Back in 2012, DARPA (the Defense Advanced Research Projects Agency) began a program (High Assurance Cyber Military Systems, or HACMS) aimed at fixing vulnerabilities which terrorists and cyber-criminals might exploit in future IoT devices.
In 2014, Dawn Meyerriecks, deputy director of the science and technology directorate for the Central Intelligence Agency (CIA) commented on the use of smart refrigerators as instruments in staging Distributed Denial of Service (DDoS) attacks, and warned about the vulnerability of smart fluorescent LEDs whose self-monitoring and reporting circuitry could be hijacked for purposes other than telling when the bulbs needed to be replaced.
Across the Atlantic, the European Police Agency Europol’s European Cybercrime Center (EC3) came to the grim conclusion in its 2014 iOCTA (Internet Organized Crime Threat Assessment) that the world will soon see its first exclusively IoT murder, as criminals or terrorists hijack devices of what Europol dubs the “Internet of Everything” (IoE) as offensive weapons.
Speaking for the Justice Department at the 2016 Summit of the Intelligence and National Security Alliance, U.S. Assistant Attorney General for National Security John P. Carlin compared the expansion of the IoT to the growth of so-called “next-generation terrorism.” The fact that industry predictions designate one in five cars and trucks as IoT-enabled “devices” by 2020 puts that many more potential weapons in the hands of rogue operators such as the individual responsible for last year’s truck attack incident in Nice, France.
Meanwhile, the U.S. National Security Agency (NSA) is looking at the Internet of Things in its usual pragmatic fashion. In a 2016 interview, Deputy Director Rick Ledgett spoke of the IoT in terms of its being simultaneously “a security nightmare” and “a signals intelligence bonanza.”
The Digital Realm as Terrorist Resource
This last observation from the NSA speaks to the dual nature of so many things in the information security realm: What works as a valuable tool or resource for users and security defense may also serve as a weapon for hackers and cyber-terrorists.
From the outset, components of the IoT have been deployed without the level of security protection typically afforded to desktop computers, laptops, or cellular devices. Connections to the internet have made it possible for IoT devices to deliver enhanced user experiences via remote control and on-the-fly updates for household appliances, gates, barriers, security cameras, and a host of other applications. And the devices themselves have infiltrated all walks of life: Urban infrastructure, personal, government, and military.
At the same time, the medium for IoT connectivity and communications – the internet itself – has become a resource pool for both physical and cyber-terrorist organizations. For the most part, this role has been limited to operational matters such as marketing, propaganda, recruitment, fund-raising, and the spreading of various ideologies.
But it doesn’t take a huge stretch of the imagination to picture a scenario where sponsorship from a nation-state or non-state actors, the purchase of knowledge, technology or services from cyber-criminal networks via the “Dark Web”, or the specialist recruitment of specific talent could lead to a staged offensive.
Exploiting Individual Devices
Documentary and physical evidence already confirm how relatively easy it can be to gain control of an IoT-enabled device and direct it to do something it isn’t supposed to. Researchers Chris Valazek and Charlie Miller’s 2015 remote hijacking of a Jeep in motion at 70 mph on a highway (with a journalist for WIRED sitting in the vehicle at the time) should be enough of a cautionary tale as to what’s possible with some ingenuity and a vulnerable circuit.
If that doesn’t get you thinking, consider this:
A group of Hezbollah-affiliated Shi’ite hackers claimed to have infiltrated security cameras in Israel in February 2016 – including cameras located at the Ministry of Defense building in Tel Aviv. The hack allegedly gave the group access to both sensitive visual data and audio, as some of the cameras were fitted with microphones.
Creating Silent Armies
Last year’s headlines provide ample proof of the potential for IoT devices to wreak havoc in the realm of cyber-terrorism. The October 2016 Distributed Denial of Service (DDoS) attack targeting DNS services manager the Dyn Company achieved a traffic volume of 1.2 terabytes per second at its highest point, and disrupted over 70 major websites (including Amazon, PayPal, Visa, and social networks like Twitter and Tumblr) in the largest assault of its kind.
The DDoS attack was made possible through the creation of a massive botnet including baby monitors, security cameras, and electronic gates – all of which were IoT devices.
The fact that so many IoT components are designed with the purposes of monitoring, reporting and the adjustment of various settings means that vulnerable devices now offer potential attackers a range of fine-grained controls which they could exploit for their own purposes.
For example, specialized search engines exist to facilitate the detection of IP addresses for endpoint devices connected to the internet. These search engines empower hackers to categorize and codify their targets according to device type, version, location, and other criteria. Lists including the addresses of security cameras and network routers have previously been published by terrorist support networks.
Manufacturers’ lists of default administrator access passwords for various devices are regularly published – and as these publications aren’t protected, hostile parties who gain access to them can use these credentials to gain remote access to vulnerable endpoints.
IoT and Terrorism – A Broad Strategy for Defense
Much of the IoT security deficit has been historically blamed on low-grade manufacturing and a lack of security and quality control measures in the production of devices. Glitchy or vulnerable open source code and generic components combine to produce hardware and software that’s exploitable, and vulnerable to security breaches.
The lack of an over-riding and enforceable security standard for IoT device manufacture is still being felt – and the establishment of local, regional, and international standards is one of the first priorities that will have to be addressed in crafting a global system of defense.
Wide-ranging and coherent security policies will have to be drawn up for IoT deployments at local, regional, and national scales. These will need to cover such aspects as authentication and encryption protocols for data transfer, and the methods and technologies adopted for the upgrade and patching of IoT hardware and software.
Beyond this, some level of proactive defense is called for on the part of the government, military, law enforcement, and intelligence agencies charged with our protection. The challenge for these organizations will be to find effective and innovative ways to turn the double-edged sword of IoT technology against those who would seek to exploit it to spread violence and terror.
Share this Post