We risk a cyber 9/11

In early February, an unknown hacker or team of hackers remotely accessed the software that manages the water supply in Oldsmar, Fla. They attempted to inject huge amounts of lye into the municipal water, which could have lethally poisoned thousands of people. That attempted attack was thwarted due to sheer luck: An engineer happened to notice the mouse cursor of his computer moving across the screen seemingly of its own accord and took action before it was too late. Disaster was narrowly averted. The attack was likely not a random prank: Oldsmar is located just outside Tampa, where the Super Bowl was being held that week.

Because the attack was foiled and nobody was hurt, few people have heard about it. It was a blip in the news cycle. But the botched Oldsmar attack should have been much more of a wake-up call.

There is a ticking time bomb that we’ve embedded within our daily lives, from our water supply to internet-connected thermostats, to WiFi-enabled tea kettles. The so-called Internet of Things, in which objects that used to be fully offline are now connected to the internet, is a largely unregulated world. And because of that, it could easily become a source of immense tragedy if the government doesn’t pay more attention to this looming national security threat.

Cybersecurity consultant Ken Munro told me about the extremely lax security around various Internet of Things devices, from dolls and sex toys to internet-connected suitcases. Hacking these devices, Munro said, is often “off-the-scale easy and requires no technical skill at all.” In other words, the devices functionally have zero security. The products have been designed to connect to the internet with no serious thought about how to secure that digital traffic.

Stories about these vulnerabilities have gained prominence when researchers have warned that hackers could, for example, speak to a child through their internet-connected doll. But the larger threat to society, Munro argued, is when the centralized systems that manage Internet of Things devices are targeted. Such an attack allows something called aggregation, in which all of the WiFi-enabled tea kettles — or all of the smart thermostats from the same company — are simultaneously compromised.

“So, if I was to target a particularly hot area at the time of peak load and tell all the thermostats pushing your A/C across multiple properties to turn off and on at the same time, you create spikes on the power grid,” Munro explained. Because of the way power grids work, even a small attack could cause the grid to shut itself off as part of a self-protection protocol. In short, your smart thermostat or smart tea kettle could, if attacked in unison with other similar models, knock the power out for a huge swath of the United States. And as Munro argues, that means “we’ve inadvertently built weapons” all around us. Your seemingly harmless tea kettle, once connected to the internet, could be used to help trigger a widespread blackout that kills people.

Unfortunately, nation-states aren’t the only possible perpetrators of a devastating cyberattack. Freelance hackers or organized digital crime groups that have loose links to governments are also eager to wreak havoc where they can.

Security vulnerabilities have long been part of the digital technology debate. But Internet of Things devices are more problematic because people rarely download “patches,” or software fixes, when vulnerabilities get discovered. Your iPhone prompts you to download security updates, but how many people regularly update their tea kettle or their thermostat?

Similarly, while computers and phones are usually replaced every few years — which automatically means a security upgrade — many Internet of Things devices last for a decade or more, ensuring that any security they once had becomes obsolete. That matters because hackers can exploit any weak link in a given network to gain access to other systems on the same network. For example, hackers were able to access the sensitive financial data in a casino after they compromised an internet-connected fish tank.

Government plays a key role in regulating product safety and protecting national security. And yet much of the world of the Internet of Things is still a digital Wild West. One regulatory law was signed late last year, but the legislation doesn’t go nearly far enough. Months after it was signed into law, the municipal water supply in Oldsmar was still being managed by Windows 7, software released in 2009 that is no longer supported by Microsoft. There was one password for the entire system. And the system operators hadn’t even switched on two-factor authentication, a simple precaution that many ordinary people use to protect their email inbox, rather than a city water supply. There are quite literally thousands of similar vulnerabilities across the United States, even for obvious targets.

Twenty years ago, counterterrorism experts were issuing dire warnings about the threat posed by groups such as al-Qaeda. They were largely ignored. Today, digital experts are issuing dire warnings and are being largely ignored. We would be wise to take action now and avoid making the same mistake twice, so we’re not forced to commemorate another devastating, but avoidable, attack.

Klaas is on Twitter, @brianklaas.