I think it will take a true catastrophe before anyone really understands just how vulnerable the Internet is.
Or how bad an idea it is to connect anything and everything to that Internet, particularly if it does anything important or potentially dangerous. If the Internet is one of the best ideas humanity ever had, the Internet of Things may prove to be one of the worst.
My personal nightmare involves a vulnerability in a popular model of remotely connected and semi-autonomous or autonomous vehicle. I don't think Western governments have any idea how much harm something like that could do or how plausible it actually is, and I don't think the auto industry executives care enough to stop it.
It doesn't need to be on the internet to be catastrophically exploited. Most buildings have zero defense against tailgating, let alone sophisticated covert entry. Most organizations contain people who can be tricked, bribed, or accidentally hire an adversary.
Disconnection can stop drive-by malware, people trawling for additions to their botnet collections. Someone who wants to launch a coordinated attack will have no problem getting behind the firewall or across the air gap at enough interesting networks to cause serious harm.
> Most organizations contain people who can be tricked, bribed, or accidentally hire an adversary.
I've been thinking about this all week. I discovered a fairly big vulnerability in our software the other day that allows anyone in the company to access data they shouldn't, not national secret level data, but enough that it could be somewhat valuable. We also have a number of people of a certain nationality that's somewhat hostile to the west, many of those people are programmers.
How would you differentiate incompetence that lead to the vulnerability from maliciousness that intentionally caused it?
Hostile and known for subterfuge. Most are probably alright but one in particular also had a run at politics with a fair bit of financial backing from this country.
> My personal nightmare involves a vulnerability in a popular model of remotely connected and semi-autonomous or autonomous vehicle.
The CAN bus is a fundamentally insecure system. Devices accept that you are the device ID you say you are. The only way for a device to vote you out is for it to see its forged ID go out on the bus and then trash the bus. Not remotely failsafe.
Increasingly vehicles are networked systems. Devices need to act like it - encrypt data between themselves and authenticate each other. Without subsystem-level access controls (should the head unit be talking to the brake controller?) there is just too much attack surface.
You can no longer be secure on a "friendly bus", this is now a mini-WAN as far as attack surface, and has been since wifi/bluetooth/cellular basebands were put on the bus. Firmware updates need to be cryptographically signed (or jailbreakable with a user-selectable root CA cert).
Everything else is vehicle manufacturers whistling past the graveyard. The CAN bus is dead, it passed away probably 10 years ago, it's just zombie companies who refuse to re-engineer appropriately when they can just ignore the problem instead (recalls don't happen right?). It's cheaper just to put the new head unit in.
The Singapore government implemented something similar a year earlier - disconnecting all government office computers from the internet. It's inconvenient, but in certain high risk use cases (power plants, airports, etc.) it might be essential because there will always be vulnerabilities in a system, especially when people are involved, no matter how well the systems are monitored.
Airports have everything from huge IoT systems managing the climate of the terminals, thousands of monitors for public information, controls for automated baggage handling, traffic/parking management sensors, vast sewer systems with sensors to manage storm/sanitary/glycol recovery/water, security systems (tens of thousands of cameras/doors being monitored), and then hundreds of smaller systems doing everything from managing ground transportation through to emergency dispatch.
I'm not sure it's even feasible to air gap all of that - the loss of productivity and additional cost would be far greater than the perceived security risks. Airports typically don't have large IT departments either, they outsource much of the work to consultants and cloud solutions. Critical systems should be, and are, air gapped but if something took out some of the systems connected to the internet it would be chaos.
One random aside... I work at an airport and did a tour of the ATC tower when I started. One of my first questions was how do they handle a loss of critical systems for landing planes. They proudly whipped out a massive signaling light (https://en.wikipedia.org/wiki/Aviation_light_signals) and explained how they use it. I actually found it quite reassuring that despite all of the technology they clearly had contingency plans in place.
> Airports have everything from huge IoT systems managing the climate of the terminals, thousands of monitors for public information, controls for automated baggage handling, traffic/parking management sensors, vast sewer systems with sensors to manage storm/sanitary/glycol recovery/water, security systems (tens of thousands of cameras/doors being monitored), and then hundreds of smaller systems doing everything from managing ground transportation through to emergency dispatch. … I'm not sure it's even feasible to air gap all of that - the loss of productivity and additional cost would be far greater than the perceived security risks.
Which of those systems would suffer from decreased productivity were they disconnected from the Internet? Indeed, I imagine that they'd experience increased productivity: there's no need for an air conditioning system to get its updates over the Internet rather than, say, by a human being with a thumb drive. Ditto monitors, ditto baggage handling, &c.
Many of these systems have a management UI available through mobile devices because of the need for staff to manage them while in the field or out of the office. As I said, some of the most critical systems are air gapped but there are critical systems that require an internet connection for practical use.
Emergency dispatch for example - the airport acts as a PSAP (https://en.wikipedia.org/wiki/Public-safety_answering_point) and requires integration into regional systems. They have radio backups but my understanding is that they pull a lot of data via the internet. The first responders also have cloud apps that help them route to a location or see the position of other nearby resources.
There is also considerable coordination with regional/national infrastructure owned by the airlines for managing when aircraft will depart/arrive. That would be much harder without an internet connection.
The airport will continue to operate safely if they lose internet connected infrastructure but the efficiency will drop quickly and the national airspace is like a busy road network - congestion in one area can rapidly cascade and cause chaos.
Now it takes a dealership visit and a supply chain to get a firmware update. Good luck getting that to fly in the era of day-one patches and 1.0 betas.
Why the fk does a car need a firmware update regularly enough that going to a dealership is a problem? I honestly find myself wanting dumber everything these days.
So don't connect it to the internet. That's the only way you're going to be able to secure a car. (Well, and don't run Bluetooth, and and and...) Let the car be a car. You want to be connected via your car? Your car is now insecure.
Yeah, I think vehicle software is going to be a nightmare. No way are they going to keep patching software after 5 years or maybe 10. I can imagine that a 20 year old vehicle will just be recycled into scrap because it has been compromised.
I personally don't really intend to buy any cars with a wireless network connection. I don't know how much longer that will be possible. But at least requiring physical access will help a lot. (And prevent a true horror: Someone figuring out how to make malware spread from car to car.)
Regarding "IoT": There's no reason your light switches should talk to the Internet, even for home automation purposes.
I personally don't really intend to buy any cars with a wireless network connection. I don't know how much longer that will be possible.
Not very. In many areas, it is either already a regulatory requirement or about to become one that any new vehicle implements an automatic system that will notify emergency services in the event of an accident where no-one on board is able to call for help, sending information about the location of the vehicle and the nature of the accident. That inevitably requires both remote communications capability and integration with some of the other safety-critical systems in the vehicle. While this particular application may be a worthy goal that will genuinely save lives, the architecture it implies will inevitably also be more at risk of security vulnerabilities than an entirely disconnected vehicle.
I love having a connected thermostat, mind you. But I'm using INSTEON, which is controlled locally by my computer. Rather than trusting the security of a random IoT device, I ensure nothing can get to my devices except through my computer.
Or how bad an idea it is to connect anything and everything to that Internet, particularly if it does anything important or potentially dangerous. If the Internet is one of the best ideas humanity ever had, the Internet of Things may prove to be one of the worst.
My personal nightmare involves a vulnerability in a popular model of remotely connected and semi-autonomous or autonomous vehicle. I don't think Western governments have any idea how much harm something like that could do or how plausible it actually is, and I don't think the auto industry executives care enough to stop it.