Conficker, a computer worm whose sophisticated botnet (a network of infected computers) infected as many as 15 billion (that’s with a “b”!) Windows PCs in late 2008, reared its ugly head again in mid-November. This time it had infected not laptops and PCs, but police body cameras—and what’s more, comes shipped pre-installed from the manufacturer. Security researchers also made headlines in August by demonstrating their ability to remotely control a Jeep: they disabled braking and acceleration capabilities and managed to kill the engine.
Welcome to the age of the Internet of Things. From the time we wake up in the morning until we go to bed at night, we are living in a world in which we are increasingly surrounded by Internet- and network-connected things. By 2020, the number of connected devices is expected to outnumber the number of connected people by a ratio of 6-to-1, according to research by Cisco.
More and more of the world has a digital component. Insulin pumps are enabled with Bluetooth, pacemakers and cochlear implants are connected to a network, and refrigerators have IP addresses. Cars are essentially computers on wheels, and the lock on the front door of a home can be controlled by a smartphone from anywhere in the world.
This Internet of Things creates opportunities for technology to make our lives easier and healthier, providing instantaneous access and reach to technology and information. Our health can be monitored with Fitbits, devices worn on the wrist or body that can track sleep patterns, heart rate and even blood pressure. The Nest brand thermostat can digitally adapt to our daily patterns, while doorbell cameras can identify the person at the door and send an instant alert to a smartphone.
But the electronic comes with inherent risks. Researchers estimate that there are between 4.9 billion and 25 billion connected “things,” mainly computers, mobile phones and traditional computing components. For the most part, we know how to protect these kinds of devices, and the risks are manageable.
As more devices are created for many realms, the number of connected things is expected to increase dramatically—estimates range from twenty-five billion to fifty billion by 2020. The risks will greatly increase as well.
For the developers of “things,” security is often an afterthought—a lightbulb manufacturer is likely to be focused on lumens and hues, not lines of code and malicious hackers. Devices are often developed without an understanding of the vulnerabilities and threats, and with little understanding of the environment in which the device will be deployed. This is especially true for crowdfunded startups (think Kickstarter) where every dollar likely goes toward developing a product and getting it to market. If anything, security is likely an afterthought.
In addition, the tools needed to hack into “things” are relatively cheap. A software-defined radio receiver for monitoring airwaves goes for $15, a device that can locate and unlock a Tesla (by cracking a six-character password) can be put together for $20, and $39 buys local area cellular jamming capabilities. Defending against such hacks can cost thousands, making it a very uneven battlefield, cost-wise.
Perhaps most significantly, software vulnerabilities remain one of the biggest problems when it comes to security. Even after thorough review, software bugs remain in code—approximately one bug exists per every 2,000 lines of code. These bugs are used by attackers to gain access and implement effects (such as stealing data or launching malware). Modern-day equipment contains millions of lines of code, creating a large attack surface with plenty of opportunities for attackers. While code certainly exists in the digital realm (browsers and operating systems have anywhere from eight million to forty million lines of code), code also is responsible for running components in the physical realm (flight software for civilian and military aircraft contains about fourteen million to twenty-four million lines of code, while commercial and military vehicles have more than 100 million lines of code).
Vendors are not held liable for vulnerability-ridden code, and determining where liability exists can be difficult, especially with open-source libraries, massive code reuse and the reliance that hardware-centric vendors (such as lightbulb manufacturers) have on other vendor’s chips, firmware, software or protocols for wifi-enabled and connected components. Unlike regular releases of patches (such as Patch Tuesday for Microsoft PCs), there is no standard way to update “things” today. For instance, after the disclosure earlier this year that 1.4 million Jeeps were vulnerable to remote exploitation by attackers, Chrysler hurriedly mailed out patches in the form of USB thumb drives.
The exponential growth in technologies is outpacing security. Companies should prioritize security from the start by implementing secure design and architecture, employing regular security testing and red-teaming (the practice of hiring professionals to “attack” a system to find weaknesses) to get ahead of the threats, and encouraging bug bounty programs (where security researchers find and report software vulnerabilities to vendors in exchange for recognition and compensation).
Silicon Valley entrepreneurs probably won’t slow down on their own—it’s not their style. A working solution may lie in a partnership between the policy and technology communities, combined with input from the public to address the risks of the Internet of Things. At a minimum, that means considering liability legislation to provide guidelines and liability standards to reduce software vulnerabilities in code libraries for computing components and newly connected devices, and establishing and enforcing standards for patching when an issue arises.
In the ever-growing Internet of Things, attackers already outpace the defenders. If developing solutions for software liability does not become more of a priority for everyone—including tech developers, manufacturers and consumers—there may be no winning this technological war.
Lillian Ablon is a researcher at the nonprofit, nonpartisan RAND Corporation, where she recently studied the security of the Internet of Things for the RAND Center for Global Risk & Security.