Why You Shouldn’t Be Afraid of ‘Murder By Internet-Connected Devices’
Fear-mongering is an effective sales technique, but a recent prediction from security firm IID is gratuitous and bizarre. CIO.com blogger Constantine von Hoffman wants IID to put its money where its mouth is.
There’s ordinary fear mongering and then there’s gratuitous, stupid fear mongering. Into the latter category I place a recent 2014 prediction from IID (Internet Identity), “a provider of technology and services that help organizations secure their Internet presence.” The following is from an IID press release:
“With nearly every device, from healthcare to transportation, being controlled or communicated with in some way via the Internet, IID predicts that criminals will leverage this to carry out murders. Examples include a pacemaker that can be tuned remotely, an Internet-connected car that can have its control systems altered, or an IV drip that can be shut off with a click of a mouse.
“‘With so many devices being Internet connected, it makes murdering people remotely relatively simple, at least from a technical perspective. That’s horrifying,’ said [CTO Rod] Rasmussen. ‘Killings can be carried out with a significantly lower chance of getting caught, much less convicted, and if human history shows us anything, if you can find a new way to kill, it will be eventually be used.'”
Methinks Mr. Rasmussen has spent way too much time at the movies and/or reading comic books. This is exactly the kind of thing a supervillain–and no one else–would think of. Few murders are planned in advance. Also, as recent events show, those that are premeditated and are successful rely on simplicity. Otherwise they usually don’t work. I suggest Mr. Rasmussen spend a week or so hanging out with the crime reporters of The New Orleans Times-Picayune, The Chicago Tribune or The Chicago SunTimes. It will give him an unparalleled education into the subject of murder.
Another flaw in this prediction is that “murder by Internet-connected devices” has been possible for a while and no one has perpetrated the crime. (The same thing can be said about the current threat to U.S. critical infrastructure, which I keep hearing is going to end up in a “cyber Pearl Harbor.”)
So I posed this question to IID:
“There is a huge difference between a vulnerability being possible and actually being used. For example, we’ve known and been warned about the vulnerability of our critical infrastructure — utilities, water, etc. — for more than a decade and there hasn’t been a single attack on any of them. What makes you think medical devices will be any different than that?”
Here is an answer from Paul Ferguson, VP of threat intelligence:
“Actually, that’s not entirely true: https://threatpost.com/en_us/blogs/fbi-memo-shows-hackers-accessed-commercial-hvac-systems-121312 …and there have been other ‘unauthorized intrusions’ in what most people would be considered ‘critical infrastructure,’ including water processing facilities, etc. We’re marching towards, what some people call, the ‘Internet of Things,’ where we are beginning to see more & more ‘things’ being able to be accessed remotely via the Internet — starting your car with a mobile app, checking your home security system, etc. If you can access it remotely as an ‘authorized’ user, chances are it can also be accessed remotely by an ‘unauthorized’ user, too.”
In my book that’s very different from an attack which would involve actually doing damage.
And from Mr. Rasmussen himself:
“For critical infrastructure attacks, that will typically be nation states or terrorist organizations. Those are fairly small in number, and in the former case, there are serious repercussions to launching such an attack. Events like this in the ‘real world’ number in the hundreds per year. Now, provide the means for people to cause direct harm to each other, whether that’s assault or even murder, and now you’re talking 2-4 orders of magnitude more people who are looking to commit those crimes. Add in motivations like insurance fraud, theft, etc. that could be done via similar techniques, and you’re looking at a much bigger set of people looking to commit crimes. If they can do so remotely, anonymously, or at scale, wow, even better. It took criminals about 5 years to figure out phishing after the vulnerabilities were there, and that was with less ‘Internet savvy.’ I see people using the connectedness of tomorrow’s world a lot faster, and with just more actors. That’s why it’s different.”
Except there is money–a lot of it–to be made from phishing and the like. “Insurance fraud?” See my comment above concerning movies and comic books.
So, Mr. Rasmussen and Mr. Ferguson, let’s see if you really believe what you claim: I bet you $1000 (going to a charity chosen by the winner) that no such murder occurs by the end of 2014. No whining about how it would be hard to detect, you made the prediction now stand by it. Let’s also even this out a bit: $1000 would actually put a substantial dent in my wallet but not in your bottom line. So you give me 1:10 odds on this. I win and you are out $10,000.