Slashdot Mirror
Security Experts Believe the Internet of Things Will Be Used To Kill Someone
dcblogs writes: Imagine a fleet of quad copters or drones equipped with explosives and controlled by terrorists. Or someone who hacks into a connected insulin pump and changes the settings in a lethal way. Or maybe the hacker who accesses a building's furnace and thermostat controls and runs the furnace full bore until a fire is started. Those may all sound like plot material for a James Bond movie, but there are security experts who now believe, as does Jeff Williams, CTO of Contrast Security, that "the Internet of Things will kill someone". Today, there is a new "rush to connect things" and "it is leading to very sloppy engineering from a security perspective," said Williams. Similarly, Rashmi Knowles, chief security architect at RSA, imagines criminals hacking into medical devices, recently blogged about hackers using pacemakers to blackmail users, and asked: "Question is, when is the first murder?"
This event has already occurred, it just wasnt called Internet of Things. IN short, this is pure click-bait.
Good-bye
... they should return their "security expert" certification.
Imagine a fleet of quad copters or drones equipped with explosives and controlled by terrorists. Or someone who hacks into a connected insulin pump and changes the settings in a lethal way. Or maybe the hacker who accesses a building's furnace and thermostat controls and runs the furnace full bore until a fire is started. Those may all sound like plot material for a James Bond movie, but there are security experts who now believe, as does Jeff Williams, CTO of Contrast Security, that "the Internet of Things will kill someone".
*In Sean Connery accent* - Of courshe she doesh.
And I'm a CTO of the peace coalition and - imagine everyone getting along, living peacefully and singing Kumbaya, yes, it sounds like a plot out of some kooky hippie show or Veggie Tales but with the Internet of Things an Ideas, it could happen.
It's just a load of bulls....[carrier lost]
Most people in the USA would not do this. Even if I had the capability to break into your insecure furnace. I don't want to go to jail for the rest of my life just because someone died because your systems are insecure. What you really need to worry about is countries where they don't give a shit about things like this. "Hahahaha. Let me turn up the furnace in this one american school and watch all the people die." People usually don't get extradited over borders. That is the thing to worry about. (Malicious people from other countries or even just kids messing around in other countries.) Blocking non-USA IPs won't help you. Too many open proxies in the USA that this really doesn't do anything anymore.
Bad actors have been using cell phones to trigger IEDs for a while now.
Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.
Given how lazy and incompetent most device makers are about security, as soon as you have a bunch of marketing guys going "yarg, teh interweb of things" you just know there's going to be terrible outcomes.
They're not interested in designing something which is good, or safe, or well engineered. They're interested in being first to market, and what to put on the power point slides. Which means they'll take shortcuts, or ignore security entirely.
So, I'm sorry, but I'm betting a chunk of people on Slashdot have been saying this would happen for years -- I know I have, and I've seen lots of other people say so.
I have always thought the IoT was both a stupid idea, and one which would eventually kill someone.
No way in hell I'd give my fridge or my toaster access to my network, because I don't see any value in that.
This is the pipe dream of marketing people, and futurists who claim this will somehow improve our lives. But without a lot more proof these companies know what they're doing, you can't trust them.
Hell, the people who make things which are supposed to be connected to the interweb can't get security right. The people who make your fridge? Not bloody likely.
Don't want your smart TV, don't want your smart toaster.
Lost at C:>. Found at C.
One day rock be used to kill someone. Og think mankind is the real monster.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
That's the whole point of my WiFi suicide booth!
Imagine a fleet of quad copters or drones equipped with explosives and controlled by terrorists.
Egad! Never mind that, imagine what they could do with an entire pla- nevermind.
systemd is Roko's Basilisk.
They did accept a $10 million bribe from the NSA to gimp their own security.
Murderous Maytags are a non-issue in comparison to the number of people whose accidental deaths will have been a far more... "authorized from higher up" affair.
Not that there won't be scapegoats.
https://www.iamthecavalry.org/
Turns out that it's killing a lot more. Can't we get rid of it?
A humorous article doing the rounds back in 93 kind of covered the house side of the internet of things. . .
http://articles.latimes.com/1993-11-25/business/fi-60788_1_house-networks
I turned on a firewall, bought ESD boots, and upgraded to Acme AV Pro!
They can't kill me now.
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
Does that mean that a dial-up connection would result in a slow, painful death?
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
Yes, it's click-bate, but I agree that there's a rush to connect everything to the internet without thinking about the security consequences; we have enough trouble securing the things already connected to the internet -- never mind an huge influx of cheaply-made, dumb, internet-connected knob turners.
Others have suggested that this isn't new because all technology can and has be used to kill people, but IMHO, the potential for "democratizing" remote and unwanted destruction of physical things is unnerving. Previously, only well-funded governments could pull that shit...
One day rock be pet. Ug be rich.
Get free satoshi (Bitcoin) and Dogecoins
http://www.salon.com/2013/08/21/report_michael_hastings_feared_his_car_had_been_tampered_with/
... believe that this new fire thing will kill someone
... believe that this new talking thing will kill someone
... believe that this new reading thing will kill someone
Some years ago my (cloths) iron died. Shopping for a new one I discovered that the boxes of new irons often displayed a buzzword: digital! /. there was a post about and electric bike (or was it the add on wheel). You controlled it with an app on your smart phone. What if you don't have a smartphone? Or if you go someplace out in a Nature where The Internet has poor or zero connections? More than using TIT to kill someone, that is the question of basic functionality of many devices now being hooked into a network.
Why? Everyone knows digital is 'better' than whatever there is. On further investigation they had electronic displays and settings were digitally controlled. The heat was still generated by good old resistance of an analogue input of electricity.
Much of the internet of things is the same meaningless drivel. Much is annoying. Recently on
In 20 years will you be telling and unbelieving 15 year old that, "Why sonny boy, when I was year age screwdrivers and hammers were not connected to TIT; you just picked them up with your hand and used them." Would he believe you?
Uuuuuuuu
Fucking DUH!
This stuff isn't something we have to imagine, books and movies have already shows tons of nefarious ways to use this idiotic "internet of things"
Not everything needs to be connected to everything else...
1) don't connect the building's fireplace to the net.
2) if you do connect it, secure it
3) put limits on the amount of change one can do over the internet
4) hire a building maint. Man (or woman)
5) move to the country
6) pray
7) pray some more
A lot of "smart" things can, are, and will be used to kill people, from smart cars to pacemakers. But the main vector will still be the dumb buyer.
These guys are selling security services as their primary job function; they may be experts in security as well, but somehow, their statements don't read like an analytical risk evaluation report, but more like an alarmist "people are going to die unless you hire us"
Perhaps engineers might actually come up with a different angle: How about "This Device is certified to NOT be connectable to the Internet of Things".
Simple. To the Point.
Certified Dumb Device.
Might be a thing to consider.
The Seduction
Imagine the world 10 or 20 tears into the future, when the IoT is becoming fully realized. Our homes and businesses have become a large network of every manner of "thing". Due to "network effects", the value of this technology and its ability to transform our lives has grown exponentially, way beyond what we could ever imagine. We are very bit as dependent on The Internet of Things as we were on the Internet of decades ago.
The Reality Today
The Internet, with all its wonders it has brought us, is out of our control. It appears there is no way to secure it. There is no end to hacks and vulnerabilities. Spam, viruses, malware, credit card breaches by the millions, military secrets stolen, loss of privacy on massive scale, DoS attacks, hacking into peoples web cams and microphones, entire systems p0wnd (Sony lately), billions upon billions of dollars in losses and damages. How can we go on like this? All the brilliant ideas of our best computer scientists to protect our computers and systems seem useless. The criminals are always one step ahead of us, no matter what we do.
If we could have predicted all the problems with the Internet as it is today, back when - would we have embraced it as we do now? It can only get worse with the IoT. Imagine when every day items start attacking you like some scene from a horror movie. It will become our worst nightmare.
We need to pause, step back, and look at the bigger picture.
Unfortunately, I have no answers. All I have are questions.
1) security experts :P
2) poster of this article
3) all of above
"Pacemaker has stopped responding due to fatal error" I don't like bugs at the best of times.
I for one am looking forward to articles that actually bring news with substance, instead of the usual vapid fare made up entirely out of the latest industry best current practice scare words.
Who the Fuck Are You!
these newfangled horse less carriages stampeding down roads running people over. Now imagine a group of no good terrorist using those the run people over. So I say lest get back to horses and slow down a bit, step back, and look at the bigger picture.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Anything you can name, will eventually be used to kill someone.
"To those who are overly cautious, everything is impossible. "
Just add the Id to the internet of things and you get a word that pretty much sums up anyone who believes that this medium won't be horrendously abused, broken, and dysfunctional. All it takes is one person. That's all it takes.
Lets be real here. Without going into religion bashing, there are a lot of organized crime groups who would gain a lot of street cred worldwide if they could find a way to bump off people, be it overloading a pacemaker, turning on too little oxygen to a breathing apparatus, turning off fridges while people are away to deliberately spoil the contents, you name it. This is why cars are such an easy target. There was one model of car in Europe that was completely drive-by-wire. Of course, when the computer on that glitched, it caused wrecks, and there was nothing the driver could do, as steering was physically disconnected from the wheel, same with brakes.
I won't be surprised if some group manages to hack something like OnStar and deliberately disable all vehicles attached to it during a hurricane evacuation, either for cred, or just to send a message. Already this has been done in Austin where a car dealership had devices to disable cars (to enforce payments), and an ex-employee used another employee's ID to disable all cars, (paid or not) in the system. So, it is a matter of when, not if.
My question is... how will Congress pass laws? Will we see stuff actually helping to fund CERT and other ventures for security, or will we see laws mandating IDs and hardware DRM stacks (which will do nothing to protect against these attacks.)?
Ooo! Ooo! Oooo! Oooo!
Humans have killed people with all sort of technology. They are quite creative about the topic. They drowned people in their own bathtub or toilet. They burned down houses and even used pest invested dead people as weapon. Of course they will use any new technology also to do it. However, using model planes or helicopters to kill people is not new. Furthermore, they are not Internet of Things or IoT is any remote controlled vehicle implying the radio control is also some sort of Internet. In general IoT is a stupid term as is it Internet of Humans. Internet is just the combinations of networks to form a large one. When at all, it should be called Internet for Humans and Internet for Things.
We had the ability to have a secure Internet back in the 1990s. However, with the average corporate desktop copy of Windows initially having no security other than logging into the Netware server to show a share, security primarily moved to the network.
The problem with IoT is that we (as in general organizations) have a lot of experience in securing networks. However, all IoT devices are edge devices... and it doesn't take a CCIE to realize the problem with that, especially the fact that the tech to secure machines is far trailing the expertise in securing network fabric.
Hello, HAL. Do you read me?
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
No way in hell I'd give my fridge or my toaster access to my network, because I don't see any value in that.
You don't see any value in perfect toast?
"dcblogs writes: Imagine a fleet of quad copters or drones equipped with explosives and controlled by cops. Or some cop that hacks into a connected insulin pump and changes the settings in a lethal way. Or maybe the cop who accesses a building's furnace and thermostat controls and runs the furnace full bore until a fire is started. Those may all sound like plot material for a James Bond movie, but there are security experts who now believe, as does Jeff Williams, CTO of Contrast Security, that "the Internet of Things will kill someone". Today, there is a new "rush to connect things" and "it is leading to very sloppy engineering from a security perspective," said Williams. Similarly, Rashmi Knowles, chief security architect at RSA, imagines cops hacking into medical devices, recently blogged about cops using pacemakers to blackmail users, and asked: "Question is, when is the first murder?”"
..and this is what I've been saying, and will KEEP saying.
No lack of full manual controls.
No lack of an unimpeachable manual override of automated control.
Preferably, no wireless way to access the vehicles' systems at all.
All operators of 'autonomous' cars still required to be trained and certified for full manual control of the vehicle.
Anything else would be utter madness.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
"Imagine a fleet of quad copters or drones equipped with explosives and controlled by terrorists."
Imagine a fleet of diamond mining slaves equipped with shovels and controlled by capitalists. :)
We could do this all day long. There are too many ways to kill people but only because people kill people.
The government which is strong enough to protect you from everything is strong enough to take everything from you.
[_] easy access to weapons (that can be used in murders)
[_] difficult access to weapons (that could be used to *deter* murders)
[_] people who make themselves potential targets
[_] too revealing clothes
[X] murderers
Linux is for people who don't mind RTFM.
that you can flush from your smartphone.
All fun and games until a hacker gets in and causes it to overflow.
Attach some kind of HSM to all connected devices. Problem solved. Next!
http://science.slashdot.org/comments.pl?sid=5889963&cid=48256269.
I'd like to see the FDA (and its counterparts in other countries) require medical device manufacturers to make the source code for their products available under an OSI-approved open source license. Submission and review of the code would be a prerequisite for a device to be approved for sale and use in a particular country. If someone implants a device, e.g., a pacemaker, in me, I'd like to know exactly what it's doing. Does it call home and transmit my medical data to the vendor (or elsewhere)? Does that connection use up battery power that would require earlier surgery to replace it? Can the vendor (or a hacker) perform over-the-air updates to the code? It's not that I would plan to modify the source code or redistribute it, but it would allow non-vendor experts to review and certify the code, thus giving everyone greater confidence in the proper functioning and security of the device.
is an oxymoron
fuck anyone who calls themselves that.
The irony is that people in the security industry have a self-interest in making people feel insecure. The threats are only limited by their imagination and their ability to develop a product to address those feelings of insecurity.
There are of course real security threats. Just as their are real security threats in the rest of the world. But in both cases, "security experts" are going to exaggerate their importance.
Another day another helping of worthless memes and gimmicks passing for technological innovation.
Similarly, Rashmi Knowles, chief security architect at RSA, imagines criminals hacking into medical devices, recently blogged about hackers using pacemakers to blackmail users, and asked: "Question is, when is the first murder?"
Shortly after you fuckers took a $10M bribe to weaken your security. It would be the icing on the cake if someone died because of that.
If we could have predicted all the problems with the Internet as it is today, back when - would we have embraced it as we do now?
"Many were increasingly of the opinion that they'd all made a big mistake in coming down from the trees in the first place. And some said that even the trees had been a bad move, and that no one should ever have left the oceans." --Douglas Adams, Hitchhiker's Guide to the Galaxy
We need to pause, step back, and look at the bigger picture.
Unfortunately, I have no answers. All I have are questions.
Yes, and from your questions I can see you are quite worried. Here. Here is a bucket of sand. Go ahead and stick your head in that. It should make you feel better. I promise.
Og tribe chief wants ban rock so only tribe chief and tribe chief's friends kill with rock. Og think this bad idea.
We already have fleets of drones equipped with explosives killing people. No terrorists required.
They mean used to kill someone on purpose, which is obvious. A more interesting question is, will the "Internet of things" kill someone deliberately or accidentally first? (Sadly it probably already has on both counts.)
From my observation, the Internet of Things is being sold to companies that want big data and lower costs obtained by monitoring end-users and their gear. Since the end-user is not the customer, it is not surprising that there is lots of very sloppy IoT code and gear out there. A few lawsuits will help this situation, but it is unfortunate that some people will have to suffer for that to happen.
There was one model of car in Europe that was completely drive-by-wire. Of course, when the computer on that glitched, it caused wrecks, and there was nothing the driver could do, as steering was physically disconnected from the wheel, same with brakes.
Try is - Infiniti Q50 - a friend had one as loaner for his FX30d and I got to take it for a spin. Fantastic car to drive, and insanely quick acceleration. The other nice thing was that when you hit a bump you got just enough feedback to tell you that you've hit a bump. You get the responsive steering without any annoying juddering (the roads where I am are horrific, and it feels like my run-flats are flat).
Not sure what car you're alluding to, or even if you're just making it up - which I guess you are - as I can find no mention of wrecks caused by a fly-by-wire car. Please, correct me if I'm wrong.
Sometimes, I can't help but laugh at the really really really funny spin put on things.
"You know, this hasn't happened yet, but we can imagine it and now we WANT to give terrorists ideas because we're that freakin bored with life"
Not realizing most people just don't freakin care to terrorize the population as much as those inventing these really inane, mindless stories keep trying to sell.
...or Get Smart episode? - You be the judge.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
There was a Doctor Who novel, I think this one, The Murder Game by Steve Lyons, where there was an "Assassination program"... a sophisticated malware package that just required to be configured with the victim's name, and it would search out means to physically kill them via computer-controlled objects.
I'm no expert, but even today it sounds almost possible. You need: (1) a way of tying victims to physical objects and locations (DMV records, toy purchases, planning permission applications, ... ), (2) hacks for physical objects (cars, street lights, Mindstorm Legos, home automation systems, ...),
(3) a worm/virus base to spread the code to computer systems physically near the objects.
If that sounds like an implausible engineering effort, remember that malware packages are incrementally improved on and made more powerful over time... it would start out with some simple and unlikely-to-succeed algorithms, and evolve into something with a huge array of killing options.
(Maybe at that point people would start taking privacy seriously.)
I pity the fool who gets to bite it, but apparently it is a necessity that people can die from something before anything remotely resembling safety and security gets implemented.
Then again, why should I pity someone who has no idea what he is doing but feels the pressing urge to do it anyway?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You can strap little bombs to thousands of birds, you know, flocks of 'em, and they have the detonators in their beaks. Then put breadcrumbs on the target/victim...
Or how about a big bomb with a big magnet on it so that it sticks to the bottom of a car or truck, then send in a special-ops stealth trained parrot to sneak in and detonate it?
Or radioactive flamingo dirty bombs?
It's only a matter of time before someone comes up with a dastardly plan like this. We have to stop them now! Air traffic control and passports for birds, immediately. Stop the avian terrorist threat!!!
Would you like a waffle?
How about a toasted tea cake?
I hate "internet of things" even more than "the cloud." They're both buzzwords for things that already existed.
I am a type 1 diabetic of 20 years. I have been using an insulin pump with continuous glucose meter and would give thousands if it had better connectivity to my computer through bluetooth or some other type of even vaguely hackable interface.
I agree the line "internet of things will kill someone" is nothing more than click bait that insulin pump hacking does not belong in.
The fellow that spoke at Defcon about the 'danger' of someone giving an unsuspecting diabetic a boatload of insulin or stopping their pump remotely, could not demonstrate a working exploit, nor could he demonstrate any type of understanding of the wireless protocol that insulin pumps use beyond showing how he had tried to analyze the wireless protocol and did note that by default it did use encryption.
I don't really consider insulin pumps to be part of the internet of things yet, not until I can adjust my insulin pump's bolus basal rate, carb to insulin ratios and tracking of insulin sensitivity at different times of the day in a closed loop way, either in a self contained out of the box system or a hacked together internet of things type of way.
So in summary , lumping insulin pumps and internet of things into the same category does not show that the author's understanding of insulin pumps or "internet of things" is all that extensive.
I developed a bluetooth radio system that uses a dataset taken from the insulin pump, CGM and fingerstick meters along with user entered diet information. This system over time builds a dataset on which regressions were performed and delivered insulin amounts for specific meals, and tracked causal factors having to do with short and long term changes in insulin sensitivity, resulting in adjustments that can be made to basal rates, meal bolus rates and correction boluses to counteract unexpected insulin spikes. (In my experience, insulin sensitivity and carb to insulin ratios, are two settings of an insulin pump that change together, if you think about it, if the amount of insulin that it takes to keep your blood sugar in range and relatively flat and how much insulin it takes to lower your blood sugar by a certain amount of mg/dll, is within a cycle of a day, caused by the same thing and changed by the same amount though it is neither linear or something that is always caused by the same thing. (hormonal responses, changes in diet, changes in exercise, changes in physical fitness (losing body fat or gaining muscle weight) and gaps in the timing of daily diet can change this response in the short term. My professor did not understand this despite having a PHD in computer science and kept giving me bad grades for his misunderstanding that food items and the caloric content and amounts and timing were recorded in different database tables and appeared like redundant data, but each group was tracking causal factors that if left unchecked can send the whole system into a flat spin and or result in good usable data not being collected. If I had it to do over again, I would have chosen another project because explaining this to a professor who seemed hell bent on giving a bad grade to a previously determined percentage of the class, required far too much argument to be worth my time.
I digress, Internet of things? perhaps in 15 years given the rate at which insulin pump technology is becoming available. If it were not for legalities and fear based on nothing but speculation and not real data reflecting real verified risks, there are off the shelf components that could build insulin pumps that would require little to no user interaction and yield nearly perfectly stable blood sugars, but part of the problem is that doctors don't understand computers or math very well and very few engineers understand diabetes intimately enough to envision such a system.
Or someone who hacks into a connected insulin pump and changes the settings in a lethal way.
for the lulz!
You click it and then you click more bait on the bait page and before you know it your family finds you in your room dead from dehydration or if your a gamer and have lots of snacks n soda they find you 8 days later dead from a heart attack brought on by extreme sleep deprivation.
Nice snarky comment, but not helpful.
What you seem to forget is that the current trend in development (buzzworded 'Internet of Things") is about to make the infrastructure that is open to unauthorised access a million times more pervasive, and the real-world impact of such unauthorised access a thousand times more severe. As in people getting killed.
This article is one of the first (more or less mainstream) articles where the danger is recognised, named, and presented in a way even Joe Sixpack can wrap his grey matter round.
Please bear in mind that whether *you* realise something is dangerous doesn't matter one way or another because you have zero impact on the trend. You don't matter (and neither do I or any other geek for that matter).
It's only when mainstream media get hold of the idea, the public learns from them, and politicians start worrying because it's what their voters worry about that you'll see any potential for serious adjustment.
So, if you think about it for a few minutes, you ought to be glad that this article is written and you'll see how unhelpful your comment really is.
The net and computers are simply tools. In fact they are very powerful and world changing tools. And the funny thing is that good things almost always take a life here and there. How many people have perished from a table saw accident? And even as something as innocent as a play or a sonnet will tend to leave a body count. I'd bet money that arguments by Shakespeare experts have led to violence now and then over the meaning of a phrase in some work of Shakespeare. And the Bible and the Koran both have a body count in their wake as well. To think that the net, computers and data mining will not do someone, somewhere, a lot of harm would be the thoughts of a fool.
these stupid stories are killing me.
Sure some of the example seem more like the near future. But everyone knows that some indirect lethal actions have occurred.
Some hospital under DDoS certainly with telemedicine probably lost a patient, two or even three.
Fortunately for hospitals, they can chalk it up to the patients fault or some other innocuous occurrence with indirect, who really can point the finger?
The fickle finger of fate!
http://www.aisnota.com/slashdot/ Welcome to Logic and the Future