Want to Keep Hackers Out of Gadgets? Try International Law
Imagine this scenario: You’re on vacation in the beautiful Austrian Alps, heading out for breakfast, but your room’s door won’t open. The hotel uses electronic locks that are connected to a network, making it easier to manage the hotel, while also getting rid of the obsolete analog locks. Only this time, the convenience provided by these electronic locks is a double-edged sword: The technology also enables cyber criminals to hack the locks and demand ransom, usually in the form of cryptocurrency, in return for unlocking the door.
While this scenario sounds hypothetical, last month a fully booked four-star hotel in Austria, Romantik Seehotel Jaegerwirt, was hacked in precisely this way. The hackers demanded the equivalent of 1,500 Euros in bitcoin in exchange for restoring the keys’ functionality, and the hotel decided to pay the ransom.
This incident might be the first documented case of “jackware” or “ransomware of Things” (RoT). Both terms are used to denote malware targeting and disruption of IoT devices, with ransom demanded in exchange for the return of the devices’ normal functioning.
With more devices becoming wired to the global network (including private air-gapped networks), RoT may soon become a pervasive and disruptive phenomenon. It’s time to think about how to address this emerging threat.
The Future of Hackable “Things”
While the Austrian hotel case may be the first instance of documented RoT, it’s by no means the last. Many “things” that are connected to the internet have been proven to be hackable (for example, as WIRED reported, hackers managed to kill a Jeep on a highway), and new IoT devices may also be insecure.
Consider the Austrian hotel scenario. If the hotel hired a cybersecurity firm to respond to and mitigate the incident, it could cost more than the ransom itself. Replacing the system completely would cost even more. Given this reality, the hotel’s most efficient recourse might be to pay the ransom. This is the reality that we face unless IoT security standards are strengthened and implemented properly.
To be clear, ransomware is not a new phenomenon. But so far, the targets of ransomware have been data, and data is often backed up. With jackware, as Stephen Cobb, a senior security researcher at ESET, has written, the goal is to lock up a car or device until you pay up. And paying ransom is understandable for a business that can’t afford a disruption in its activities: Marcin Kleczynski, of the cybersecurity defense firm Malwarebytes, told WIRED last week, “If you have a $500,000 ransom to get $100 million of revenue back as quickly as you can, you start thinking, is this the more logical option for us as a business?”
It’s also possible for vulnerable IoT devices to enable DDoS attacks. As demonstrated recently in the DDoS attack on the Dyn DNS provider, an army of IoT devices may recruited by exploiting their vulnerabilities, and thus can be used to flood servers with false requests, making these servers unable to operate and respond to genuine requests. The October 2016 DDoS attack on Dyn was possible because of compromised IoT equipment. These devices were easily exploited because they did not have a robust security system in place. Since these devices could be used by anyone, anywhere, this problem should be addressed on an international level.
Enter International Law
Fortunately, because these products are manufactured by companies that do business globally, and thanks to how international law works, it can be addressed on an international level.
First, nations will have to agree on IoT security standards, and they’ll need to establish a system by which an independent third party can update the standards from time to time.
Second, once these standards are set, international law would be able to incorporate them within the ambit of international trade. For example, the General Agreement on Tariffs and Trade allows countries to impose restrictions on imports if they are required in order to protect, among other things, human, animal, or planet life or health. These standards permit a country to refuse to import products that violate those standards. In the same way, international trade law could develop in a way that allows importing countries to refuse goods (for example, smart thermostats), if the manufacturer does not abide by the global standard on IoT security.
A recent survey from AT&T reported that 85 percent of enterprises currently are considering or implementing an IoT strategy, and just 10 percent of those businesses feel they can secure the devices satisfactorily. Global standards could go a long way toward making those systems less vulnerable, while reducing the uncertainty that manufacturers and consumers can experience.