SA Forum is an invited essay from experts on topical issues in science and technology.
“We live in a connected world” is a well-worn axiom. Even so, few people realize the true extent of that interconnectivity. Networking giant Cisco Systems estimates that by 2015 as many as 15 billion devices will be connected to the Internet—more than double the world’s population. One forecast suggests that the number of such devices will reach 50 billion by 2050, and that is almost certainly an underestimate. Many of those machines will interact with each other without our intervention, and often without our knowledge. When that happens, the Internet of Everything will have truly arrived.
But the Internet of Everything faces significant security challenges. It will consist of billions of devices programmed to handle multiple functions autonomously and asynchronously. Any node could be an attack vector for the entire system. Locating and containing a breach in such a dynamic, distributed system may be close to impossible. This matters because an attack on the Internet of Everything won’t simply destroy data—it will disrupt the physical world.
The Internet of Everything has been described as a transition from “Machina habilis” to “Machina sapiens”—from a world where machines respond only to human commands to one in which machines, enabled with complex algorithms and adaptive behaviors, act as intelligent agents on behalf of individuals. By carrying out tasks ranging from optimized traffic management to monitoring the health of the elderly to nuanced control of energy usage, the Internet of Everything should make the world smarter and our lives easier. It will also make it much easier for hackers to cause real-world damage.
We’ve already seen this sort of attack happen. The first came in 2010, when the Stuxnet virus targeted the systems that controlled centrifuges used in Iran’s nuclear program, causing them to spin destructively out of control. Stuxnet, which was probably a joint U.S.–Israeli venture, quickly created blowback. In August 2012 an attack on Saudi Aramco, which supplies about one tenth of the world’s oil, destroyed or compromised some 30,000 computers and 2,000 servers. The attack, which almost certainly originated in Iran, was intended to stop Aramco’s oil production. Although the hackers failed, former CIA director Leon Panetta described the attack as “probably the most destructive attack that the private sector has seen to date.”
The Internet of Everything exponentially increases the potential for physically destructive cyber attacks. A 2010 paper on the security and privacy of wireless tire-pressure monitoring systems showed that hackers could easily intercept and decode a system’s sensor messages, triggering false alarms or spoof warnings that could potentially harm the driver. More recent research funded by the Defense Advanced Research Projects Agency (DARPA) has demonstrated the ease with which almost all the computerized systems in today’s cars—including the steering, accelerator and brakes—can be hijacked. Another researcher discovered that a system used to operate an electronic medicine cabinet for hospital prescriptions could easily be hacked, thanks to a software flaw. The potential for remote hacking of smart objects via new and novel vectors also exists. For example, Sandia National Laboratories is developing “radar responsive” tags, about the size of the stick-on RFID tags used in retailing. The tags remain dormant until awakened by a radar pulse from as far as 19 kilometers away—and then indicate their location. The potential for abuse is not hard to envision.