TALKING BUSINESS
B
efore you run to the kitchen to
unplug your smart fridge, it’s
worth noting that this issue
applies to many smart devices, and
here’s why.
If I were to remove the “brains” of my
smart fridge – that is, the silicon chip and
operating system that runs on the chip
– I’d find that it’s the same, or nearly
identical, as the chip-operating system
combo that’s in my smart TV, toaster,
thermostat, and door lock.
Actually, these chips and operating
systems are in millions of connected
devices, from industrial equipment in oil
fields and power grids to vital healthcare
equipment, such as drug infusion pumps,
defibrillators, and, yes, the refrigerators in
hospitals that ensure blood supplies and
medicines stay at a safe temperature.
How can that be?
Purpose built ‘brains’
Once upon a time, the chips and
operating systems used in different
types of devices were purpose-built for
that specific device and that particular
industry. An oil and gas field monitor
would carry its own, custom-made chip
and operating system. Same goes for the
power or healthcare industry. This might
not have been particularly efficient, and
it certainly wasn’t cheap, but what it did
mean was that if a bad actor wanted
to hack a particular piece of oil and gas
equipment, he or she had to target that
unique chip and operating system. If
they wanted to target another piece
of equipment, they’d have to start the
process all over again.
Effectively, the “brains” of the oil field
equipment was as different from the
“brains” of a defibrillator, as an oil and
gas field monitor is different from a
defibrillator.
Today, however, in the race to lower prices
and bring connected and smart products
to market quickly, manufactures are
using mass-produced “System-On-Chips”
(SoC) and operating systems to give
their devices “brains” and leverage vast
economies of scale to keep prices down.
As a result, they are less concerned with
the security implications of this “race to
the bottom”.
That’s why my fridge seems so smart
about streaming music. It’s the same
chip/operating systems that I’d find
if I opened up my streaming audio
speaker. Same goes for the oil and
gas field equipment or the emerging
new generation of smart healthcare
equipment such as the infusion pump
in the hospital. Add a speaker and they
could both play music just fine.
One bullseye, millions of
targets
On a more serious note, however; what
this means is that a malicious actor
has to hit only one bullseye in order to
compromise millions of devices.
Even if it’s incredibly difficult – and
both resource and time intensive – to
compromise the chip or the operating
system, the incentive to do so today
is enormous: the threat actor will gain
access to millions upon millions of
Internet of Things and other smart and
connected devices, creating enormous
botnets to serve as their digital army.
When a hacker’s computer is building
a botnet army for a distributed denial
of service (DDoS) attack – such as the
one executed against Dyn in the US
on October 21, 2016 – it doesn’t see a
fridge, a toaster or an oilfield monitor,
it just sees a vulnerable computer
running a commoditised SoC and
operating system.
WHEN A HACKER’S COMPUTER IS BUILDING A BOTNET ARMY FOR
A DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK – SUCH AS
THE ONE EXECUTED AGAINST DYN IN THE US ON OCTOBER 21,
2016 – IT DOESN’T SEE A FRIDGE, A TOASTER OR AN OILFIELD
MONITOR, IT JUST SEES A VULNERABLE COMPUTER RUNNING A
COMMODITISED SOC AND OPERATING SYSTEM
30
INTELLIGENTCIO
www.intelligentcio.com