From your fridge, your oven and your toothbrush to your car, doorbell and bike lock, more and more everyday objects are being imbued with smart features and internet connectivity. All of which means the physical world around us is becoming more hackable. WIRED and HP showcase ten re-inventors working to keep this rapidly growing number of vulnerable devices safe from cyberattack.
Professor in wireless communications, King’s College London
On October 21, 2016, a massive distributed denial of service (DDoS) attack brought down the sites of Twitter, Pinterest, Reddit, Spotify, PayPal, Verizon, Comcast, and a host of other major US web companies. Behind it: your smart fridge, home security camera or DVR, all of which were lassoed via the publicly available malware, Mirai, into a vast botnet and directed at major domain name system service provider, DYN.
The attack would have come as no surprise to King’s College London Professor in Wireless Communications, Mischa Dohler, who recently cautioned that the vulnerabilities of unobtrusive and unchecked Internet of Things (IoT) devices make the rise of such attacks only a matter of time.
For the Mirai malware, enlisting devices came easily, thanks to out-of-date firmware and the prevalence of default admin logins, allowing it to build a DDoS army numbering, according to DYN, in the tens of millions. Unless the industry develops new cybersecurity solutions fast, this, Dohler has emphasised, is only the beginning.
Co-ordinator, IoT European Research Cluster (IERC)
For Ovidiu Vermesan, whose role is to facilitate collaborative research on how the Internet of Things can support European development, the potential of IoT is enormous. From smart sensors for a more efficient National Grid, and congestion-aware road signs to responsive city lighting and self-regulating buildings - in sufficient quantity tiny devices can have a large impact. First, however, they need to be secure. The vulnerability of your thermostat is one thing, but as similarly small devices are connected up to home oil rigs, and motorway junctions, the need to protect against cyber attack is becoming ever more critical
Executive vice president, Consumer Security, F-Secure
The average antivirus program runs to a few hundred megabytes in size. The average IoT device has no more than a couple of gigabytes of memory in total. Take firmware and data storage into account and that leaves little space for security software. Instead Helinski-based F-Secure are taking security back a step, to the router itself. Its Sense hub scans the network on behalf of all the devices connected to it, from lightweight systems like connected security cameras to the traditional heavy-weight desktop PC.
“People are starting to buy all kinds of new smart devices to use in their homes, and we know that these devices are already being hacked,” said Samu Konttinen, F-Secure executive vice president, Consumer Security when announcing SENSE. “We've seen footage from nanny cams streamed online without people's knowledge or consent, and it's been proven that intruders can use something as simple as a connected light bulb to get access to people's homes.”
But security doesn’t end at home. F-Secure also runs another level of security checks from the cloud, allowing a lightweight client on the device to query incoming connections from anywhere in the world before accepting them. “Criminals are constantly developing new ways of turning people's technology against them,” Konttinen said. “Security solutions need to evolve to meet this challenge.”
Founder and CEO, WISeKey
The number of connected IoT devices is expected to hit 6.4 billion this year, according to US research firm, Gartner, a 30 per cent rise from 2015. By 2020 the size of the IoT network is expected to reach 20.8 billion things. Keeping each device safe is enough of a challenge, but there’s also a need to keep your network safe from each device and the potential of allowing access to even just one malicious connection among millions.
That’s where WISeKey’s Root of Trust comes in. Incorporated into the hardware of the chip itself this provides a cryptographic signature of the device’s authenticity and integrity to an artificially intelligent cloud-based security platform that learns from attack attempts.
“This new platform opens up many possibilities for improving the overall security functionalities by taking advantage of the world of digital identification at the object level,” explained Carlos Moreira, founder and CEO WISeKey. ”Once combined with big-data this allows us to gather and process all available information to generate actionable insights.”
Research director, International Security, Chatham House
For Patricia Lewis, one of the greatest cybersecurity threats are the devices almost all of us rely on, and few of us ever see. Satellites, the subject of a research paper Lewis co-authored in September, underpin everything from navigation and air traffic control to financial services, defence and weather forecasting. They also cost enormous sums of money to build and launch, leading to minimal turnover and significant legacy design issues, including vulnerability to cyberattack.
This is not only a potential concern for the future. Several times since 2012, North Korea has jammed GPS signals to South Korea, taking Seoul’s mobile network down for several days at a time. More dangerous is the potential for spoofing attacks which send false signals instead, potentially causing ships to collide or bringing down vital financial and energy infrastructures. Alternatively, by taking control of the satellite itself, hackers could crash it into other satellites or bring it crashing back down to Earth.
“Technology alone cannot provide the basis for policymaking on cybersecurity,” the report concluded. What is needed, Lewis recommended, is, “An international ‘community of the willing’ – made up of able states and other critical stakeholders within the international space supply chain... to develop a space cybersecurity regime competent to match the range of threats.”
Founder and CEO, 3DB Technologies
Convenience often comes at a security cost, as Boris Danev knows all too well. In 2010, while a Phd student at ETH Zurich, Danev discovered the increasingly popular passive keyless entry systems - which use Bluetooth to allow an owner to unlock and start their car by proximity alone - could be very easily hacked. All he needed was a cheap off-the-shelf Bluetooth amplifier to trick the car into thinking the key was much closer - even when it was actually up to 165 feet away on the dining room table inside the car owner’s house. Some insurers now refuse to cover such cars unless additional security, such as a locked garage, is in place.
Through Thalwil, his Switzerland-based startup, 3DB Technologies, Danev is now commercialising a chip specially designed to prevent such attacks. This works by sending very short energy pulses at a specific frequency range, just like a password, which changes on every use. The key then returns the signal back to the car, which uses the elapsed time to measure the exact distance between them.
CEO, BehavioSec
Imagine a future without passwords. Neil Costigan does, but that's not to say he's looking to a future without security. Instead Costigan believes we can replace a several character code with something both much more secure, and much easier to remember - your behaviour. Specifically your unique behavioural interaction patterns from the way you touch your phone, or move your mouse, or type words on a keyboard. Spun out from research conducted at Luleå University of Technology in 2009, BehavioSec's system has been shown to detect an intrusion within milliseconds with a 99.7 per cent accuracy. Over 2015, they provided security for 1.2 billion transactions for 15 million consumer users and have since expanded to Germany, the UK, the US and Benelux.
Senior research scientist, Idiap Research
From facial features and speech habits, to the pattern of veins in our fingers, behaviour is far from the only natural unique identifier that human's posses as a potential password replacement. But when introducing any new security system the most important task is figuring out the ways it could be fooled. At the Switzerland-based Idiap Research Institute, Sebastien Marcel leads the Biometrics group in researching how multiple authentication modalities can be combined for more secure authentication solutions, how a unique biometric identifier can be spoofed, and then how to prevent such spoofing from being successful.
CTO, Telekom Innovation Laboratories, Ben Gurion University
Your smartphone, according to Israel-based Dudu Mimran, is increasingly becoming a hacker's number one target. Nothing is better suited to the capitalisation of a user slip-up, from opening a malware-containing file to entering your security details to a false website than a device we carry around almost all day.
The challenges in securing it, however, are many. The roll-out of security fixes is slow across the fragmented Android ecosystem, and we rely on thousands of micro-business app-developers to keep their own piece of the security puzzle up to date. A further complication Mimran points to is the mixing of business and private uses in the same device, allowing any malicious software to enter through a novelty app downloaded for personal use, then to gain access to everything from your fitness records to your enterprise CRM app.
Co-founder and CEO at Argus Cyber Security
Having your hard drive wiped by malware may be infuriating, but as our cars are become internet connected devices the cybersecurity stakes are becoming even higher. This was made starkly obvious by two security researchers at the Black Hat security conference, who showcased the ability to remotely paralyse a Jeep Cherokee's engine, or disable the brakes at low speeds.
Fortunately, at Tel Aviv-based Argus Cyber Security, Ofer Ben-Noon has led the development of a solution to keep our cars safe. Argus’ Intrusion Prevention System (IPS), embedded during production, uses cloud-based algorithms to monitor every signal sent across the car’s network to remotely detect and block suspicious transmissions, while the ability to remotely update the system prevents the need for a costly physical recall.
Learn more about how HP is helping to re-invent security.
In partnership with HP. Discover more
This article was originally published by WIRED UK