The Institute of Engineering and Technology
2013 could be the first year in which cyber-attacks lead to human deaths, a Web security expert has warned.
Corey Nachreiner, director of security strategy at security management firm WatchGuard Technologies, argues that the accelerated proliferation of both networked devices and online threats over the next 12 months will create a ‘perfect storm’ of vulnerable connected systems that, if targeted, could increase the chances of a ‘fatal malfunction’.
Networked road vehicles, Internet-ready medical devices, and intelligent buildings are among the emerging connected physical domains that will start to be targeted in 2013 by cyber criminals, hacktivists, pranksters, and other ‘malicious actors’ – including nation states –Nachreiner believes.
“Our lives become more dependent on computing devices every day,” he said.
“They are increasingly embedded in the infrastructure that provides us with energy and water.
“And all the time we are actively engaged in connecting all these devices together.
“Yet some of our most critical systems now suffer from fundamental vulnerabilities.”
Nachreiner warns that with more connected computer components embedded in cars, phones, TVs, navigation aids, and even medical devices, “digitally-dealt death is not only possible, it is plausible… though I hope that I am wrong”.
He also points out that technology now exists for roadside hackers to interfere with satnav tools, causing drivers to make life-threatening driving decisions, for instance, or even hack into automotive systems and cause airbags to inflate.
Medical systems themselves are also becoming increasingly connected through to public networks, which introduces another range of vulnerabilities, says Nachreiner:
“Recently, a researcher [at the Breakpoint conference, Melbourne] even showed how to wirelessly deliver an 830V shock to an insecure pacemaker”.
Other scenarios include intelligent buildings, where unauthorised online access to control systems for lifts and escalators could result in people being trapped when in need of urgent medical treatment, or critically injured due to sudden motion stoppages.
“We are connecting around the ‘air gaps’ that used to protect things like industrial control systems, in-building transport mechanisms, and medical systems,” Nachreiner explains.
“Despite the risks, security is often still an afterthought when innovative technical systems are being developed.”
Nachreiner is calling for a more regulated approach to software development, to ensure that insecure coding results in financial penalties for those responsible for flawed software.