“The Hackers in Your Yogurt”
by Sarah Witman
Quartz, March 24, 2017
[Witman notes: I was happy the editor guided me toward a more narrow focus than I had originally pitched.]
In the ‘Internet of Things,’ cyber-terrorists turn everyday items into weapons
I’m a freelance science journalist based in Madison, Wisconsin. I’ve heard great things recently about writing for Quartz, and your editing in particular, [Witman notes: This isn’t BS; I had heard good things from two different writers about this editor, and Quartz had just been written up in Columbia Journalism Review as one of the best outlets to pitch] and would like to run a story idea by you.
It would be about how, in the age of “the Internet of Things,” cyber-terrorists can turn our internet-connected devices into weapons. And how, just like with physical acts of terror, fear can either conflate the problem or propel us to action.
In early 2014, when an unknown cyber-criminal remotely broke into an estimated 100,000 devices — wireless routers, televisions, and at least one refrigerator — programming them to malfunction and send out thousands of spam emails, it caused a stir in the tech community but it wasn’t front-page news. At the time, an Ars Technica commenter wrote, “The scenario that really concerns me is the ‘connected TV.’ It will typically have a browser, and many have support for Facebook, Twitter and mail. And typically no protection against infection. This is a Very Bad Thing just waiting to happen.”
Nearly three years later, the Very Bad Thing did happen. Last October, cyber-attackers infiltrated home IP-addresses with malware, hidden inside phishing emails, which easily spread to other devices in the home: DVRs, cable boxes, routers, webcams, and even thermostats. With these devices under their control, the attackers used them to flood (and, subsequently, crash) local servers with thousands of fake requests, preventing users from accessing traffic-heavy sites such as Spotify, Twitter, Netflix, Amazon, and PayPal.
These devices (which make up the so-called “Internet of Things”) make easy targets; they often have poorly written code and are unlikely to be reinforced with the bits of software, or patches, designed to update and fix bugs in outdated software. Before now, the manufacturers haven’t seen an urgent (or profitable) reason to do so. And, being relatively new, at least in legislative time-scales, they are not very well-regulated.
Furthermore, this type of attack has the potential to be much worse than spam emails and a night without Netflix, as experts recently testified to Congress. For example, the FDA released a warning last month that a certain brand of pacemaker is vulnerable to hacking, and cyber-security expert Max Kilger recently described a scenario to me in which cyber-criminals could hack into food processing, transportation, and storage systems in order to spoil perishable foods, potentially causing cases of food poisoning or even food shortages.
I’d like to write about what industry leaders, as well as the Department of Homeland Security and other federal agencies, are doing to minimize these threats. Kilger said he hopes the new administration (particularly Rudy Giuliani, who Trump has appointed to lead the White House’s cyber-security team) will be effective diplomats in “getting industry to adopt standards and improve their cybersecurity status.” He also hopes the food industry in particular will learn from others’ past mistakes, saying, “With the presidential election, we got caught with our pants down. It wasn’t really the voting machines, or the DNC emails; it was the ability to use that vulnerability in combination with social media campaigns to potentially sway an election… It sort of blindsided us. That could happen with food safety. We know the industrial control-system machines on the plant floor are vulnerable; all it takes is social media combined with that vulnerability to strike fear and terror in the general population, and that’s pretty much the definition of terrorism.” Getting out ahead of these issues, Kilger says, should be “a national security priority.”
Please let me know if you’d like to know more or see a draft. Thanks!