Is the IoT apocalypse coming, or not?

There is a wide agreement on the fact that IoT is much more vulnerable to attacks than traditional internet, and even on the fact that IoT attacks could lead to considerable damage to all kinds of assets, logical and physical. But risk is not just about vulnerability level and potential consequences.

There is also intent. A vulnerability is only dangerous when an attacker actually decides to exploit it. The problem with intent is that it is definitely not obvious to measure, especially on new risks by new kinds of attackers. Here we can oppose two theses, between Bruce Schneier’s core theory from Click Here to Kill Everybody and James Andrew Lewis’ theory from his 2016 Managing Risk for the Internet of Things CSIS report.

Terrorists and Enemies

Lewis’ reasoning is that we have been promised major cyber disruptions on traditional internet for a long time and that we are still waiting to see one. His reasoning about terrorists is interesting, as he explains that terrorists tend to prefer tactics that include “direct action, bloodshed, and political drama.” I agree with him, but I still think that a terrorist group with the same financial means as the 9/11 commandos could very well use IoT today as an amplifier of their attacks, for instance by having a botnet contribute to the chaos by attacking key services.

The main difference between Lewis and Schneier, though, is about the likelihood of exploitation of IoT vulnerabilities in the context of war. Here, the assumptions are different, as Lewis considers that a massive cyber attack would be deterred by potential response from the U.S. whereas Schneier considers that (1) it could be useful in the case of an already started war, and (2) that the difficulty to attribute an attack could lead to misguided retaliation or to the absence of retaliation.


There are also a few significant differences between Lewis and Schneier on other topics, which I outline below:

  • About consequences, Lewis mentions that “most vulnerabilities found on IoT devices lead to events that would qualify as pranks.” He acknowledges that botnets can be created, but he dismisses them by mentioning improved defenses against DDoS attacks. Schneier is much more cautious, and I would be as well. Botnets could be used for other things than traditional DDoS, for instance for attacking other vulnerable devices.
  • About cyberwar, the same difference in considering only repetitions of existing attacks leads to similar differences, where Lewis dismisses the risk of potential consequences of a full-scale cyberwar.
  • Finally, Lewis considers that the risk will decrease as we get more familiar with the technology, and our experience grows. This is partly true, but it is only valid if we build experience fast enough to offset the increase of risk due to continued deployment of new technologies, which is not obvious today.

At this level, we are talking about opinions and predictions. Depending on whether you believe that history repeats itself or that we always get interesting new things, the conclusions are different. Well, my motto for 2019 still is “The times, they are a changin’ “, so I believe in the unpredictable.

Does it matter?

Note that it doesn’t matter that much. The conclusion from James Lewis does not differ greatly from Bruce Schneier’s. In the end, he recommends that the government “can accelerate risk reduction with the same methods we use for general cybersecurity: research, liability, infrastructure and regulation.”

The IoT insecurity issue may not be of apocalyptic scale, but it nevertheless remains an issue that needs to be considered by governments.

We’re back for 2019!

It’s 2019, and it took me 2 months (including a great deal of procrastination) to fix a PHP version issue after a site migration. My hate of PHP just grew a bit more… In this early 2019, the Road to Bandol can be quite dangerous, as exemplified by the video below: Yep, that’s the Bandol […]

Time bombs, from climate to IoT security

The comparison between IoT security and climate change is getting better every single day, and I am not sure that this is good news. A few minutes ago, a tweet on climate change got my attention: This is not the new normal, just a pit stop on the way to decades and decades of deteriorating […]

The Collective Risk of IoT

One of the favorite activities of certification experts is to define security levels based on risks. Such levels allow us to put the items to be certified in well-defined boxes. Then, we can certify them according to the rules on that box/level. Until recently, life was easy, and we could define levels easily. Since 3 […]

Should we Protect Cars from Terrorists?

Some days ago, Mark Cuban published on LinkedIn a question about weaponized cars: who has developed solutions to detect/prevent such events? I live close to Nice, so I would definitely extend the question to trucks, and basically to anything heavy that moves faster tn humans. Terrorists are not easy to distinguish from normal drivers before […]

Is it Reasonable to Own a Connected Car?

I have been hearing for a while that « cybersecurity is a process » and that one of the issues with executives is that they don’t understand that: most of them think that cybersecurity is a problem that should be solved by engineering. When you think about an online service’s lifecycle, it all makes sense. […]

Des contraintes naît la beauté

This quote from Leonardo da Vinci “Beauty is born from constraints” was chosen by Alain Colmerauer as the motto for Prolog IV, the last iteration (for now) of the Prolog language, déveloped by Prologia in the early 1990’s. Alain Colmerauer passed away this week. I have plenty of memories about him, starting from classes with […]

Think like an attacker with a bottom-up threat analysis

A risk analysis is a great tool when planning the security of a product. This is typically done with a top-down methodology: You first define assets, then identify threats or risks on these assets, followed by attack strategies and attack objectives, countermeasures, getting finer and finer. These methodologies present many advantages, and one of the […]

Can we try to get some IoT devices right?

Last week at RSA, various crypto stars, including Don Rivest, Adi Shamir, and Whitfield Diffie, have discussed security research trends in a panel, and the conclusion seems to be that quantum computing and AI are not the real priority with the Internet of Things. The priority is, or should be, to invest in better programming. […]

Attacking IoT is really easy

A few days ago, Metasploit has announced that their famous tool is now available to car hackers, and soon for any connected object. Metasploit is a well-known tool for web apps, and extending it to objects simply makes these objects as easy to hack as web apps. Indeed, there are many aspects in common between […]