GLOBALLY, WE’RE becoming increasingly connected to the internet – in our homes, in our vehicles, in our pockets and purses, and in factories, hospitals, and construction sites.
Internet-connect devices – or, collectively, the Internet of Things [IoT] – can make life more convenient and efficient. But the technology comes with risks.
As the recent WannaCry and Petya global cyberattacks on corporate computer systems demonstrated, anything connected to the web poses a potential risk. And the Internet of Things could become the next hacker threat, says Adam Cottini, managing director of Arthur J. Gallagher
’s US cyber liability practice.
“The rise in connected technology has led to a growing cyber threat relating to the Internet of Things,” Cottini says.
“This includes [cyber threats to] internetconnected devices in the home, potentially in a vehicle … in medical devices, in wearable devices and in critical infrastructure.”
Nowhere is categorically safe from hackers, including those things you take for granted on a day-to-day basis.
“When you look at the home,” Cottini says, “some items that are important to focus on – some of the most common [potential threats] – are thermostats, so your heating and air-conditioning.”
Imagine being held ransom in your home, in either boiling hot or freezing cold temperatures, having to pay a criminal to release the controls back to you. Or, Cottini says, a homeowner away for an extended period who loses control of their home thermostat in humid conditions could return to a mold-infested house.
Crooks taking over commercial refrigeration could also cause major harm, he says.
And then there’s the possibility – which has already been witnessed – that home security systems, cameras and microphones can be used to surveil and extort high-networth individuals, who often have highly connected homes.
“We’ve seen invasion-of-privacy events even with some of the toymakers,” Cottini says. “People have taken over the cameras in a toy, and you can listen and eavesdrop into a conversation. And can you get a ransom out of that? That’s a possibility. That actually takes the conversation way further than just a shutdown of a system in the way of the WannaCry or Petya viruses. This can go much further.”
According to Nick Graf, consulting director of information security for CNA’s risk control unit, modern internet-connected cars are also a dangling, shiny bauble for hackers to try to grab.
“Where do we see these types of [ransomware] attacks going next?” Graf says. “Where we see the big area [of concern] is in the Internet of Things. In a few short years, you’re going to see thing like your Nest home thermostat gets hacked.
“There have already been examples of car hacking that’s gone on,” he adds. “As you get automated cars, software always has vulnerabilities. I can totally imagine bad guys putting ransomware in your car, and now you’ve got to pay me $200 or your car is not going to start up. We think those things are likely to happen.”
Ransomware, which was used in the recent WannaCry and Petya attacks, is likely to be an easy tactic used by hackers in the near future. Locking a person’s access to their thermostat or car could easily entice them to pay up to regain control. Though the best defense is cybersecurity, many people do actually pay. A small fee like $300 may seem cheap to get your belongings back, but that’s what keeps the criminals in business.
“We see that, if you make the payments, they will decrypt your data, for the most part,” Graff says. “They just want your money. They are making millions of dollars off these schemes every year. If word got out that they weren’t unlocking the data, then no one would pay them after a while. Again, they want your money. They don’t care about your data.”
In some cases, the crooks will even go to the trouble of setting a type of help desk to walk people through how to set up a bitcoin account to transfer the money, Graf adds.
“There’s a theory of honor among thieves,” Cottini says. “Recently there was an example where one of the hackers had taken the bitcoin and didn’t actually give the encryption key to the victim. Then [other hackers] went after them, because the people who are involved in this expect a certain level of behavior.”