By Brennen Schmidt
ALEUS Technology Group
and Allan Bonner
Troy Media columnist
In old TV comedies, soap bubbles from the washing machine rise up the basement stairs and fill the living room, or the oven keeps baking until the cake occupies the whole kitchen.
This was funny before the Internet of things (IoT) meant that someone in another country could make this happen in 1,000 homes simultaneously. Worse, a version of this could happen in hospitals or nuclear power plants.
Most of our large and small appliances, from smart phones and what’s in the kitchen through to the machines that run the machines that run our city’s street lights, are really computers that are part of a grid. These computers are vulnerable to malware – software that means you no good. Hackers can program malware to contact every computer in the world via their Internet protocol address, and this means most fridges, stoves, washing machines, smart phones, GPS, cars and so on.
This is a botnet. The botnet’s mission may be to destroy the devices it finds. Or the payload may be spam to tie up or deceive millions of other computers. If the device taken over is a heart-lung machine, its mission is now sending spam, not keeping a person alive.
This sounds like a horror movie starring computers rather than a blob from outer space. But versions of this have happened. Two former Apple engineers invented a thing to hang on the wall called Nest. It’s a smart thermostat that learns your behaviour and the weather in your area to adjust temperatures. It will also work in conjunction with other devices to adjust lights, locks, window shades and cameras. These have malfunctioned, heating up some people, cooling off others and setting off alarms.
In 2016, hackers got into 100,000 video surveillance cameras and turned them into a botnet that attacked and disabled hundreds of Internet sites. Why wasn’t a security camera secure? Often the manufacturer writes a password and these become known on the Internet black market.
Such attacks have a name: distributed denial of service (DDoS) attack. The intended target system or group of systems is brought to a standstill, unable to keep up with an intense influx of requests from a multitude of devices and their Internet addresses. Such an attack is eminent, especially given the continued use of default device passwords in various Internet-connected things in people’s homes around the globe.
A few years ago, the California highway patrol found a stolen car by tracing its Internet connection. The police used this technology to slow the car down and turn off the engine. It’s good to catch bad guys who steal cars, but what if a bad guy turned off the brakes or slammed them on just for fun?
These and other examples are documented in the book Warnings: Finding Cassandras to Stop Catastrophes by Richard A. Clarke and R.P. Eddy. Some examples are even worse.
A mysterious group known as Sandworm is thought to have developed BlackEnergy – a whole family of malware. It can steal data and keep a door open on a computer system. It also features KillDisk, which wipes all software from a hard drive.
It’s even less funny to hear Joseph Weiss quoted in this book. Weiss is the author of Protecting Industrial Control Systems from Electronic Threats. He says he knows of 750 incidents that have killed more than 1,000 people. These incidents have been all over the world, in “electric distribution systems, transmission systems, hydro plants, fossil plants, nuclear, combustion-turbine plants, oil and gas pipelines, water and water treatment systems, manufacturing facilities, and transportation.”
We’re living in a time where a simple prank to get machines to malfunction could turn deadly. Worse, some of these issues are discovered completely by accident.
Hospitals and nuclear power plants run the risk of becoming the victims of such attacks, intentionally or not. Let’s just hope none of us experience the consequences.
Dr. Allan Bonner, MSc, DBA, is a crisis manager based in Toronto. His forthcoming book is Cyber City Safe. Brennen Schmidt (BEd, Certiftied PR, CUA) is principal of the ALEUS Technology Group, a boutique digital communications firm in Regina.
The views, opinions and positions expressed by columnists and contributors are the author’s alone. They do not inherently or expressly reflect the views, opinions and/or positions of our publication.