Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
The Internet Security

Security Experts Believe the Internet of Things Will Be Used To Kill Someone 165

dcblogs writes: Imagine a fleet of quad copters or drones equipped with explosives and controlled by terrorists. Or someone who hacks into a connected insulin pump and changes the settings in a lethal way. Or maybe the hacker who accesses a building's furnace and thermostat controls and runs the furnace full bore until a fire is started. Those may all sound like plot material for a James Bond movie, but there are security experts who now believe, as does Jeff Williams, CTO of Contrast Security, that "the Internet of Things will kill someone". Today, there is a new "rush to connect things" and "it is leading to very sloppy engineering from a security perspective," said Williams. Similarly, Rashmi Knowles, chief security architect at RSA, imagines criminals hacking into medical devices, recently blogged about hackers using pacemakers to blackmail users, and asked: "Question is, when is the first murder?"
This discussion has been archived. No new comments can be posted.

Security Experts Believe the Internet of Things Will Be Used To Kill Someone

Comments Filter:
  • Already been done (Score:5, Insightful)

    by spire3661 ( 1038968 ) on Friday November 28, 2014 @11:14AM (#48479337) Journal
    This event has already occurred, it just wasnt called Internet of Things. IN short, this is pure click-bait.
    • by ColdWetDog ( 752185 ) on Friday November 28, 2014 @11:16AM (#48479347) Homepage

      Indeed. Every single bit of technology ever devised has been used to kill people. It's what we do.

      Unless you're writing cheesy made-for-TV movies, nothing to see here. Move along.

      • by EvilSS ( 557649 ) on Friday November 28, 2014 @01:36PM (#48480109)

        Indeed. Every single bit of technology ever devised has been used to kill people. It's what we do.

        Unless you're writing cheesy made-for-TV movies, nothing to see here. Move along.

        I wonder if anyone has ever used click-bait to kill someone....

        • by znrt ( 2424692 )

          I wonder if anyone has ever used click-bait to kill someone....

          you may be referring to kill-bait?

          anyway, that ubiquitous and cheap tech now enables everyone to mass-kill is just fair. us & israel should suck it up and show some sportmanship at least.

      • Indeed. Every single bit of technology ever devised has been used to kill people. It's what we do.

        No kidding. Remember the Refrigerator Murders of '03? Those were particularly gruesome...

      • by lgw ( 121541 ) on Friday November 28, 2014 @02:32PM (#48480503) Journal

        Indeed. Every single bit of technology ever devised has been used to kill people. It's what we do.

        False. New technologies are divided between "invented to kill people" and "porn". With a few like the internet being dual-purpose.

        Or, as the saying goes "there are two kinds of engineers: those who build weapons, and those who build targets".

      • Indeed. Every single bit of technology ever devised has been used to kill people. It's what we do.

        And not only that, what else would be the purpose of this 'Internet of Things (TM)'? It certainly doesn't address any problem in need of solving except, perhaps, overpopulation.

    • This just in, security experts believe fire may be used to kill someone.

      • Old news, Ugg of the Swamp Cave wrote a paper on it and did a proof-of-concept experiment on Gruk of the Forest Cave.

    • Yes, it's click-bate, but I agree that there's a rush to connect everything to the internet without thinking about the security consequences; we have enough trouble securing the things already connected to the internet -- never mind an huge influx of cheaply-made, dumb, internet-connected knob turners.

      Others have suggested that this isn't new because all technology can and has be used to kill people, but IMHO, the potential for "democratizing" remote and unwanted destruction of physical things is unnerving.

      • by GNious ( 953874 )

        There is a slight issue here: Not everything is completely lacking in security, in the IoT world.

        Yes, there is likely a HUGE PILE of stuff out there, where security is flawed beyond repair, on devices doing critical things, but there are also companies that at least try to make safe equipment and have their gear reviewed.

        So, before we reject all things IoT, how about we start by accepting those shown to be decent?

        *Cue observations about nothing corporate is decent*

        • by ahodgson ( 74077 )

          Name one? Bonus points if the maker's business model doesn't revolve around selling your personal habits and data for profit.

        • by mlts ( 1038732 )

          How about we go to a third model, and that is DMZ networks with hardened chokepoints. We can do this with existing protocols.

          For example, we have a subnet that has a fridge, oven, dishwasher, and power distribution unit on it. A central device with a hardened exterior firewall controls what goes out. At an extreme, one can build firewalling functionality into the hardware NIC so if the device's OS is compromised, it still has protection.

          The central device uses SNMPv3 to walk the devices. If finds the fr

          • How about we just not do it?

            I don't need my microwave, toaster, coffeemaker, fridge, stove, connected to the Internet.

            Nor my TV, lighting, or sound system.

            Nor my toilet.

            The smarter things get, the dumber we get. How many of us, if we loose our smartphones, won't remember the phone numbers of the people we should call to give them our new number? If this keeps on, eventually we'll need an app just to call 9-1-1.

            Simpler is often better and cheaper, and when something goes wrong, easier to fix.

            • 1. Buy a new phone.
              2. Get a new sim with your current number on it.
              3. Restore last backup to new phone.
              4. Profit!

              I know all the important numbers I usually call since Siri's name recognition isn't really reliable enough to use. I usually just dial by saying "dial 555-7654"
              At college in '93 someone in the computer science building connected the Coke machine to the net. You could telnet in and get the current temp with an ascii art representation of how many cans were loaded in each slot. Totally
              • Totally useless, but totally awesome.

                That pretty much sums up the whole thing - it's totally useless, but people are thinking "KEWL" like this must be the next big thing.

                And if you have an electric stove, you can leave the burner on 24/7 and it won't burn your house down unless the cat decides to commit ritual suicide on it, then runs around spreading burning cat-fur all over the place. And the easy way to prevent that is to get a dog what you can bring with you :-)

                • When I was much younger, I left an electric range on warm for days. I never noticed until I set a box of rice krispy treats on the warming burner and left them for hours. It was a small apartment and counter space was a premium. I often stored flat things on the range to save space. Needless to say, I don't do that anymore. Since then, I've always had a certain paranoia about leaving the range on. Now I have gas, so no worries.
          • Why does the fridge data need to go out to a third party before reporting to me? That is the shit im sick of. Give me ways to access the data LOCALLY inside my own loop.
            • by mlts ( 1038732 )

              Maybe the best answer is to have the fridge have SNMP ability, and let one's own computer walk the MIBs periodically and respond to traps by the appliance. This is an existing protocol, available in virtually every single OS.

    • by jythie ( 914043 )
      In its sensationalism it also skips over the bigger problem. The larger risk is not some geeky killer who does something fancy with tech rather then, oh, I don`t know, hitting someone with a brick.. instead it is how bugs and untested interactions between all these devices could lead to accidental death.
    • @Spire3663

      Nice snarky comment, but not helpful.

      What you seem to forget is that the current trend in development (buzzworded 'Internet of Things") is about to make the infrastructure that is open to unauthorised access a million times more pervasive, and the real-world impact of such unauthorised access a thousand times more severe. As in people getting killed.

      This article is one of the first (more or less mainstream) articles where the danger is recognised, named, and presented in a way even Joe Sixp

      • We are not Joe-Six-Pack here at Slashdot. We have no need for this kind of dumbed down article, its beneath us.
        • by golodh ( 893453 )
          @spire3661

          So what you're saying is: you have no quarrel with the article as such, but you only think Slashdot's editors are at fault for putting it in here because it's too simple? Is that it?

          If so perhaps it's good that it was placed on slashdot so as to show us an example of how a train of thought has to be shortened to be suitable for the mainstream media.

          Just so that you know ... people who think at the level of this article are the voters who ultimately determine whether and to what extent measur

  • by Ihlosi ( 895663 ) on Friday November 28, 2014 @11:16AM (#48479349)
    ... they should return their "security expert" certification.
  • Bad actors have been using cell phones to trigger IEDs for a while now.
  • Ummm ... Duh? (Score:5, Insightful)

    by gstoddart ( 321705 ) on Friday November 28, 2014 @11:30AM (#48479415) Homepage

    Given how lazy and incompetent most device makers are about security, as soon as you have a bunch of marketing guys going "yarg, teh interweb of things" you just know there's going to be terrible outcomes.

    They're not interested in designing something which is good, or safe, or well engineered. They're interested in being first to market, and what to put on the power point slides. Which means they'll take shortcuts, or ignore security entirely.

    So, I'm sorry, but I'm betting a chunk of people on Slashdot have been saying this would happen for years -- I know I have, and I've seen lots of other people say so.

    I have always thought the IoT was both a stupid idea, and one which would eventually kill someone.

    No way in hell I'd give my fridge or my toaster access to my network, because I don't see any value in that.

    This is the pipe dream of marketing people, and futurists who claim this will somehow improve our lives. But without a lot more proof these companies know what they're doing, you can't trust them.

    Hell, the people who make things which are supposed to be connected to the interweb can't get security right. The people who make your fridge? Not bloody likely.

    Don't want your smart TV, don't want your smart toaster.

    • by zr ( 19885 )

      first off, i agree with you in principle.

      however, i'd like to take issue with the qualification "lazy and incompetent". companies do what the market demands of them. examples of companies that create markets are very rare.

      in the world we live in, succeeds the company which sells the most not the company that makes the best.

      being the first to market is a major factor of selling the most. and that is _our_ doing. its _us_ who have selected (thank you Darwin!) companies to rush to market plug and play crap.

      • by znrt ( 2424692 )

        so true. so it's actually _us_ who are "lazy and incompetent". good we know, that would be a start.

    • Ummm ... Duh? (Score:4, Insightful)

      by nbauman ( 624611 ) on Friday November 28, 2014 @01:36PM (#48480111) Homepage Journal

      No way in hell I'd give my fridge or my toaster access to my network, because I don't see any value in that.

      You don't see any value in perfect toast?

      • by znrt ( 2424692 )

        eating the exact same toast every single day in your life ... you have lost your mind!

    • Hell, the people who make things which are supposed to be connected to the interweb can't get security right. The people who make your fridge? Not bloody likely.

      I was going to make a joke about how little a fridge could do to kill you, then I remember something that happened to me and my wife a couple weeks ago.

      We were at a local grocery store and she picked up some cheese with an expiration date in November 2016. I told her my doubts (I don't recall any refrigerated cheese ever lasting that long).

      My wife's response was that the label said it so it must be true. And this is coming from someone who doesn't believe the medical community much to begin with.

      Two weeks

    • by dwye ( 1127395 )

      As far as them being "lazy and incompetent" goes, the people designing the Internet of Things are doing nothing different than the people who designed the Internet of networks. Back then, they assumed that the main danger would be unexpected network partitioning, not some man-in-the-middle attacker sending lies to major routers or DNS sites (hell, back then DNS was a file maintained by Jon Postell out of the goodness of his heart, sent out every so often to replace the previous /etc/hosts file for all host

  • Og say (Score:5, Funny)

    by Greyfox ( 87712 ) on Friday November 28, 2014 @11:35AM (#48479451) Homepage Journal
    One day rock be used to kill someone. Og think mankind is the real monster.
  • Imagine a fleet of quad copters or drones equipped with explosives and controlled by terrorists.

    Egad! Never mind that, imagine what they could do with an entire pla- nevermind.

  • by Anonymous Coward on Friday November 28, 2014 @11:49AM (#48479531)

    They did accept a $10 million bribe from the NSA to gimp their own security.

  • I turned on a firewall, bought ESD boots, and upgraded to Acme AV Pro!

    They can't kill me now.
  • Does that mean that a dial-up connection would result in a slow, painful death?
  • by Anonymous Coward on Friday November 28, 2014 @12:00PM (#48479593)

    http://www.salon.com/2013/08/21/report_michael_hastings_feared_his_car_had_been_tampered_with/

  • ... believe that this new fire thing will kill someone
    ... believe that this new talking thing will kill someone
    ... believe that this new reading thing will kill someone
  • by MitchDev ( 2526834 ) on Friday November 28, 2014 @12:10PM (#48479647)

    Fucking DUH!

    This stuff isn't something we have to imagine, books and movies have already shows tons of nefarious ways to use this idiotic "internet of things"

    Not everything needs to be connected to everything else...

  • A lot of "smart" things can, are, and will be used to kill people, from smart cars to pacemakers. But the main vector will still be the dumb buyer.
  • by X!0mbarg ( 470366 ) on Friday November 28, 2014 @12:32PM (#48479759)

    Perhaps engineers might actually come up with a different angle: How about "This Device is certified to NOT be connectable to the Internet of Things".

    Simple. To the Point.

    Certified Dumb Device.

    Might be a thing to consider.

  • by TropicalCoder ( 898500 ) on Friday November 28, 2014 @12:37PM (#48479787) Homepage Journal

    The Seduction

    Imagine the world 10 or 20 tears into the future, when the IoT is becoming fully realized. Our homes and businesses have become a large network of every manner of "thing". Due to "network effects", the value of this technology and its ability to transform our lives has grown exponentially, way beyond what we could ever imagine. We are very bit as dependent on The Internet of Things as we were on the Internet of decades ago.

    The Reality Today

    The Internet, with all its wonders it has brought us, is out of our control. It appears there is no way to secure it. There is no end to hacks and vulnerabilities. Spam, viruses, malware, credit card breaches by the millions, military secrets stolen, loss of privacy on massive scale, DoS attacks, hacking into peoples web cams and microphones, entire systems p0wnd (Sony lately), billions upon billions of dollars in losses and damages. How can we go on like this? All the brilliant ideas of our best computer scientists to protect our computers and systems seem useless. The criminals are always one step ahead of us, no matter what we do.

    If we could have predicted all the problems with the Internet as it is today, back when - would we have embraced it as we do now? It can only get worse with the IoT. Imagine when every day items start attacking you like some scene from a horror movie. It will become our worst nightmare.

    We need to pause, step back, and look at the bigger picture.

    Unfortunately, I have no answers. All I have are questions.

    • by mlts ( 1038732 )

      We had the ability to have a secure Internet back in the 1990s. However, with the average corporate desktop copy of Windows initially having no security other than logging into the Netware server to show a share, security primarily moved to the network.

      The problem with IoT is that we (as in general organizations) have a lot of experience in securing networks. However, all IoT devices are edge devices... and it doesn't take a CCIE to realize the problem with that, especially the fact that the tech to secur

  • these newfangled horse less carriages stampeding down roads running people over. Now imagine a group of no good terrorist using those the run people over. So I say lest get back to horses and slow down a bit, step back, and look at the bigger picture.

  • Anything you can name, will eventually be used to kill someone.

  • Humans have killed people with all sort of technology. They are quite creative about the topic. They drowned people in their own bathtub or toilet. They burned down houses and even used pest invested dead people as weapon. Of course they will use any new technology also to do it. However, using model planes or helicopters to kill people is not new. Furthermore, they are not Internet of Things or IoT is any remote controlled vehicle implying the radio control is also some sort of Internet. In general IoT is

    • The problem is a completely different one. Namely that judges don't know jack shit about technology. Which means we'll get two things at once, on one hand judges that will buy into the hype and believe anything thrown at them concerning how Mr Evilhacker killed my beloved Granny (who just happened to leave everything to me, but that's not the point now), and on the other hand we'll get judges that simply cannot wrap their mind around just exactly this happening and letting actual people who used this vector

  • Hello, HAL. Do you read me?
  • by kheldan ( 1460303 ) on Friday November 28, 2014 @01:54PM (#48480241) Journal
    ..and this is what I've been saying, and will KEEP saying.
    No lack of full manual controls.
    No lack of an unimpeachable manual override of automated control.
    Preferably, no wireless way to access the vehicles' systems at all.
    All operators of 'autonomous' cars still required to be trained and certified for full manual control of the vehicle.

    Anything else would be utter madness.
  • "Imagine a fleet of quad copters or drones equipped with explosives and controlled by terrorists."

    Imagine a fleet of diamond mining slaves equipped with shovels and controlled by capitalists. :)

    We could do this all day long. There are too many ways to kill people but only because people kill people.

  • [_] easy access to weapons (that can be used in murders)
    [_] difficult access to weapons (that could be used to *deter* murders)
    [_] people who make themselves potential targets
    [_] too revealing clothes
    [X] murderers
  • I'd like to see the FDA (and its counterparts in other countries) require medical device manufacturers to make the source code for their products available under an OSI-approved open source license. Submission and review of the code would be a prerequisite for a device to be approved for sale and use in a particular country. If someone implants a device, e.g., a pacemaker, in me, I'd like to know exactly what it's doing. Does it call home and transmit my medical data to the vendor (or elsewhere)? Does that
  • by weilawei ( 897823 ) on Friday November 28, 2014 @02:27PM (#48480469)

    Similarly, Rashmi Knowles, chief security architect at RSA, imagines criminals hacking into medical devices, recently blogged about hackers using pacemakers to blackmail users, and asked: "Question is, when is the first murder?"

    Shortly after you fuckers took a $10M bribe to weaken your security. It would be the icing on the cake if someone died because of that.

  • Imagine a fleet of quad copters or drones equipped with explosives and controlled by terrorists.

    We already have fleets of drones equipped with explosives killing people. No terrorists required.

  • They mean used to kill someone on purpose, which is obvious. A more interesting question is, will the "Internet of things" kill someone deliberately or accidentally first? (Sadly it probably already has on both counts.)

  • From my observation, the Internet of Things is being sold to companies that want big data and lower costs obtained by monitoring end-users and their gear. Since the end-user is not the customer, it is not surprising that there is lots of very sloppy IoT code and gear out there. A few lawsuits will help this situation, but it is unfortunate that some people will have to suffer for that to happen.

  • ...or Get Smart episode? - You be the judge.
    • Given the way the US run today, it's more an episode of either CSI or Law and Order.

      Who cares that someone died, there's someone to be sued here! KA-CHING!

  • There was a Doctor Who novel, I think this one, The Murder Game by Steve Lyons [amazon.com], where there was an "Assassination program"... a sophisticated malware package that just required to be configured with the victim's name, and it would search out means to physically kill them via computer-controlled objects.

    I'm no expert, but even today it sounds almost possible. You need: (1) a way of tying victims to physical objects and locations (DMV records, toy purchases, planning permission applications, ... ), (2) hac

  • I pity the fool who gets to bite it, but apparently it is a necessity that people can die from something before anything remotely resembling safety and security gets implemented.

    Then again, why should I pity someone who has no idea what he is doing but feels the pressing urge to do it anyway?

  • Comment removed based on user account deletion
  • Or someone who hacks into a connected insulin pump and changes the settings in a lethal way.

    for the lulz!

  • The net and computers are simply tools. In fact they are very powerful and world changing tools. And the funny thing is that good things almost always take a life here and there. How many people have perished from a table saw accident? And even as something as innocent as a play or a sonnet will tend to leave a body count. I'd bet money that arguments by Shakespeare experts have led to violence now and then over the meaning of a phrase in some work of Shakespeare. And the Bible and the Koran both

Our policy is, when in doubt, do the right thing. -- Roy L. Ash, ex-president, Litton Industries

Working...