Charlie Miller and Chris Valasek (security experts with Uber's Advanced Technology Center) demonstrated a Jeep Cherokee hack in 2015, during which they took control of onboard systems. The hack took place over the internet, from the comfort of their homes, and exploited a vulnerability in the Jeep's entertainment system to gain initial access, which was followed by their moves into other systems, such as the steering and brakes.
The following hypothetical hack shows how a similar scenario might play out in a future smart home in the age of the internet of things (IoT).
Imagine it's 1:30 a.m., and you've just finished preparing a presentation for an important meeting later that day in another city, and you need to wake up at 6 a.m. to catch a flight. You live in a smart home in the age of IoT. Almost all of your appliances are connected to a centralized wireless network, and they "talk" to one another. Your fridge scans the barcodes of items within it and sends automated messages to your phone—to add milk to your grocery list, for example, when you're down to your last gallon. Your coffee machine is programmed to make your favorite brew at the same time every morning.
You get into bed and tell your alarm clock (which is routinely set for 7 a.m.) to wake you up at 6 instead. As you try to go to sleep, you are woken by a notification on your phone: Your shower has noticed that you changed the setting on your alarm and wants to know if it too should activate one hour sooner. You click yes and try again to doze off. But the coffee machine also noticed the change and sends a similar email. Then the toaster sends yet another. At this point, you are fed up and tell all of your appliances you want no further notifications until you get back in a few days.
The next day, robbers show up at your home, having found out from social media that you will be away. They are part of a criminal organization that paid more than $100,000 for a zero-day exploit (the opportunity to use an undisclosed computer-software vulnerability before a developer can fix it) specifically targeting the networks of smart homes. Either the robbers themselves were trained in the use of programs to hack into your smart home or they have help from programmers hired by their organization.
The hack begins through a security vulnerability in your toaster's Bluetooth. This may seem innocuous, but the toaster communicates with the smoke alarm, and the smoke alarm and security system are part of a subsystem monitored by your home security company. Once inside your system, the robbers determine that you have disabled notifications for your appliances, and that—in your haste to leave— you forgot to set them on vacation mode. As a result, neither you nor your home security company are notified when the robbers' hack moves from the toaster to the smoke alarm and then to the security system. They proceed to turn off your home security, unlock your doors, enter your house, and take what they want.
The above scenario illustrates three key points:
- A security system is only as strong as its weakest link
- Cyber attacks are often at least partially a result of negligence on the part of human users
- The world of the future is one in which almost every device will be connected to almost every other
Points 1 and 2 are already true, but the problems they pose will be amplified in the future. In particular, points 1 and 3 together pose a significant challenge: The more devices are connected to one another, the more potential sources there are for the weakest link, and the harder it is to secure a network.