Grow: Expanding our ability to provide, through technology

Next to Be Hacked? Your Dinner

As we add our kitchens, restaurants, and other food systems to the Internet of Things, our reliance on cybersecurity continues to grow.

Imagine the luxury of a smart kitchen that knows you so well that it orders groceries to be delivered in time for Meatless Monday and links to your Fitbit so it can suggest recipes based on your weight and what’s already on your shelves. Soon enough, this kitchen won’t require much imaginative thinking. It becomes more of a reality as our daily dietary needs seamlessly integrate into the Internet of Things (IoT).

Forecasts expect 125 billion devices to be connected to the IoT by 2030. This will include more than kitchen appliances; soon entire restaurants and even food production systems will be connected, as internet-enabled technologies offer ways to increase efficiencies at scale. And as our reliance on the IoT grows significantly, whether it’s in a personal kitchen or an entire regional system, so too will our reliance on cybersecurity. This is particularly important in the food and beverage industry, which is the second-most targeted industry by hackers.

A recent AT&T study showed a 3,198 percent increase in IoT vulnerability scans from 2013 to 2016. The culprit? The ease of entry created by some IoT-enabled devices. The problem is that many designers, in their rush to get their smart devices to market, often treat security as an afterthought. And many consumers and businesses, swept away by better efficiency, are unaware of the risks that they face in interconnectivity.

As there is currently no industry-wide or government-mandated security standard in IoT devices, it falls to manufacturers, consumers, and businesses to learn how to protect themselves. What does this mean as the IoT begins to change the way we grow, sell, ship, prepare, and eat food? What’s the worst that can happen, and what can you do to avoid falling victim?

Eggs, Milk, and Spam: What’s in Your Fridge?

More than 100,000 smart devices were hacked between December 2013 and January 2014 in a cyberattack that generated more than 750,000 spam messages. Some came from expected devices, like tablets. One source was unique: a refrigerator, according to Proofpoint, the cybersecurity firm that uncovered the attack.

How does a refrigerator send out spam? To handle communication and other functions, smart fridges have embedded computer processors that act as self-contained web servers. This particular fridge, as well as the other compromised gadgets, was either poorly configured or set up using default passwords—a classic mistake but one that hackers always expect and seek out. No serious damage was done in this case. But what if the owner of the fridge had decided to check on the contents from a work computer? That would’ve granted the hacker an entry point into the computer and, subsequently, everything in its network.

When Your Fridge Gives Away Your Passwords

In another instance, a smart fridge was designed to show a user’s email-synced calendar on its display. To secure integration, the manufacturer implemented SSL (Secure Sockets Layer)—but unfortunately didn’t add SSL-related security measures. The refrigerator wasn’t designed to validate SSL certificates. This gave hackers access to the user’s entire network, including the email account. Once hackers have this information, it’s only too easy to gain access to other sensitive information.

What’s a homeowner to do to maintain privacy?

“From a consumer point of view, you’re somewhat at the mercy of the vendor,” said Humayun Zafar, an associate professor of information security at Kennesaw State University. “If there’s a baseline flaw in a network device or an IoT device, then at best the consumer can do things like make sure the password they pick for that network is somewhat complicated. Don’t pick a birthday. Be a good digital citizen, so to speak.”

In addition, people can set up encryption models in their homes that de-identify data from all personally identifiable information, effectively protecting their privacy.

The Vending Machine with the Power to Shut Down a University’s Internet

People desperately seeking a soda or a candy bar have always found ways to hack a vending machine. Shake it, kick it, you name it—there’s a YouTube video that shows you how to get what you want. But now that vending machines are connected to the IoT, hackers are taking that to a new level.

At one U.S. university, several vending machines were among a group of 5,000 infected IoT devices that collectively cut off the school’s internet. The infection was designed to send out thousands of Domain Name System (DNS) queries to random seafood websites every 15 minutes, effectively creating a distributed denial of service (DDoS).

“There is notoriety,” said Zafar, in explaining the appeal of hacking. “Some folks break into things because it’s a challenge for them. They can put a stamp on the internet and say, ‘We were the ones who took down this bank or that school,’ without any financial repercussions or benefits whatsoever.”

To avoid falling victim, organizations must regularly assess security and resolve DoS-related vulnerabilities. The affected university, and all organizations, should also look into using network security controls such as services from cloud-based vendors that are designed to respond to IoT attacks.

The Stock Market Is Giving You Food Poisoning

Consider a large fast-food chain that prides itself on dishing up fresh food. As interconnected devices help to increase freshness and productivity, they also open the chain to many vulnerabilities. If the refrigeration system of a chain is hacked, for instance, this might mean that the chain cannot sell its product or, worse, that customers might get sick after eating spoiled food, among other possible outcomes. Hacking a refrigeration system would have an immediate effect on a public company in ways that wouldn’t occur to the average burger-eating citizen.

Think about it: If a public company takes a huge hit, its reputation and value could be damaged. “This is unfortunately where cyber criminals have become quite intelligent about world markets,” said Michael Parker, CMO of Armis, an IoT security platform that helps businesses protect their unmanaged devices. “They know what they’re doing. They’re not just stealing credit cards. They’re actually trying to hurt companies and shift the economic power.”

If a business has a large IoT infrastructure, protection is a bit tricky. Companies should look at implementing a flexible architecture-based defense that automatically identifies, mitigates, and contains an attack the moment it happens. Network segmentation creates separate zones across the IoT network. That means an IoT device can communicate only with its assigned destination. As a result, this technique can help prevent a single attack from sweeping across the network. However, segmentation alone is not enough to prevent breaches, especially since devices can connect externally and to each other, leaving another exposed surface. “Airborne” attacks can travel over wireless or Bluetooth connections, bypassing the network completely and spreading malware from device to device in ways that traditional security methods can't detect. At the end of the day, the most important thing to get right is the security in each and every internet-enabled device.

Agroterrorism Is as Scary as It Sounds

Climate-controlled farms all around the world allow for precision agriculture; they make use of IoT-enabled devices such as drones to inspect fields or spray pesticides, artificial lights programmed to adjust to the needs of the crops, automated tractors, and more. This connectivity can lead to a more efficient farm—and a more vulnerable production system. “The usual rule of thumb when it comes to anything regarding cyber is that as long as something is networked, it can be broken into,” said Zafar. “[Hackers] can shut down production. Now, if the drone, for example, is distributing some kind of pesticide based on timers, someone can actually breach the system and cause some havoc there.”

Food irradiation, electronic pasteurization, and the spraying of preservatives are permitted in more than 50 countries. These processes are potential targets for agroterrorism: the intentional contamination of a food supply with the goal of terrorizing a population and causing harm. If a hacker finds a way to enter the programmable logic controllers (PLCs) of the devices used to carry out these tasks, they can introduce dangerous chemicals into the food production plant. Or they could remotely shut down refrigerators to ruin supply or even create an explosion.

To avoid such situations, the security of IoT devices and cloud environments must be maintained. In addition, companies should ensure additional firewalls are in place, along with access control systems and network traffic monitoring.

Eggs, Milk, and Spam: What’s in Your Fridge?

More than 100,000 smart devices were hacked between December 2013 and January 2014 in a cyberattack that generated more than 750,000 spam messages. Some came from expected devices, like tablets. One source was unique: a refrigerator, according to Proofpoint, the cybersecurity firm that uncovered the attack.

How does a refrigerator send out spam? To handle communication and other functions, smart fridges have embedded computer processors that act as self-contained web servers. This particular fridge, as well as the other compromised gadgets, was either poorly configured or set up using default passwords—a classic mistake but one that hackers always expect and seek out. No serious damage was done in this case. But what if the owner of the fridge had decided to check on the contents from a work computer? That would’ve granted the hacker an entry point into the computer and, subsequently, everything in its network.

When Your Fridge Gives Away Your Passwords

In another instance, a smart fridge was designed to show a user’s email-synced calendar on its display. To secure integration, the manufacturer implemented SSL (Secure Sockets Layer)—but unfortunately didn’t add SSL-related security measures. The refrigerator wasn’t designed to validate SSL certificates. This gave hackers access to the user’s entire network, including the email account. Once hackers have this information, it’s only too easy to gain access to other sensitive information.

What’s a homeowner to do to maintain privacy?

“From a consumer point of view, you’re somewhat at the mercy of the vendor,” said Humayun Zafar, an associate professor of information security at Kennesaw State University. “If there’s a baseline flaw in a network device or an IoT device, then at best the consumer can do things like make sure the password they pick for that network is somewhat complicated. Don’t pick a birthday. Be a good digital citizen, so to speak.”

In addition, people can set up encryption models in their homes that de-identify data from all personally identifiable information, effectively protecting their privacy.

The Vending Machine with the Power to Shut Down a University’s Internet

People desperately seeking a soda or a candy bar have always found ways to hack a vending machine. Shake it, kick it, you name it and there’s a YouTube video showing you how to get what you want. But with vending machines now connected to the IoT, hackers are taking it to a new level.

At one U.S. university, several vending machines were among a group of 5,000 infected IoT devices that collectively cut off the school’s internet. The infection was designed to send out thousands of DNS queries to random seafood websites every 15 minutes, effectively creating a distributed denial of service (DDoS).

“There is notoriety,” said Zafar, in explaining the appeal of hacking. “Some folks break into things because it’s a challenge for them. They can put a stamp on the internet and say, ‘We were the ones who took down this bank or that school,’ without any financial repercussions or benefits whatsoever.”

To avoid falling victim, organizations must regularly assess security and resolve denial of service–related vulnerabilities. The university in particular, and companies in general, should also look into using network security controls, such as services from cloud-based vendors that are designed to respond to IoT attacks.

The Stock Market Is Giving You Food Poisoning

Consider a large fast-food chain that prides itself on dishing up fresh food. As interconnected devices help to increase freshness and productivity, they also open the chain to many vulnerabilities. If the refrigeration system of a chain is hacked, for instance, this might mean that the chain cannot sell its product or, worse, that customers might get sick after eating spoiled food, among other possible outcomes. Hacking a refrigeration system would have an immediate effect on a public company in ways that wouldn’t occur to the average burger-eating citizen.

Think about it: If a public company takes a huge hit, its reputation and value could be damaged. “This is unfortunately where cyber criminals have become quite intelligent about world markets,” said Michael Parker, CMO of Armis, an IoT security platform that helps businesses protect their unmanaged devices. “They know what they’re doing. They’re not just stealing credit cards. They’re actually trying to hurt companies and shift the economic power.”

If a business has a large IoT infrastructure, protection is a bit tricky. Companies should look at implementing a flexible architecture-based defense that automatically identifies, mitigates, and contains an attack the moment it happens. Network segmentation creates separate zones across the IoT network. That means an IoT device can communicate only with its assigned destination. As a result, this technique can help prevent a single attack from sweeping across the network. However, segmentation alone is not enough to prevent breaches, especially since devices can connect externally and to each other, leaving another exposed surface. “Airborne” attacks can travel over wireless or Bluetooth connections, bypassing the network completely and spreading malware from device to device in ways that traditional security methods can't detect. At the end of the day, the most important thing to get right is the security in each and every internet-enabled device.

Agroterrorism Is as Scary as It Sounds

Climate-controlled farms all around the world allow for precision agriculture; they make use of IoT-enabled devices such as drones to inspect fields or spray pesticides, artificial lights programmed to adjust to the needs of the crops, automated tractors, and more. This connectivity can lead to a more efficient farm—and a more vulnerable production system. “The usual rule of thumb when it comes to anything regarding cyber is that as long as something is networked, it can be broken into,” said Zafar. “[Hackers] can shut down production. Now, if the drone, for example, is distributing some kind of pesticide based on timers, someone can actually breach the system and cause some havoc there.”

Food irradiation, electronic pasteurization, and the spraying of preservatives are permitted in more than 50 countries. These processes are potential targets for agroterrorism: the intentional contamination of a food supply with the goal of terrorizing a population and causing harm. If a hacker finds a way to enter the programmable logic controllers (PLCs) of the devices used to carry out these tasks, they can introduce dangerous chemicals into the food production plant. Or they could remotely shut down refrigerators to ruin supply or even create an explosion.

To avoid such situations, the security of IoT devices and cloud environments must be maintained. In addition, companies should ensure additional firewalls are in place, along with access control systems and network traffic monitoring.

IoT is now part of every industry, each of which should be wary of neglecting cybersecurity practices and therefore risking the safety of their customers and staff, their legal standing, brand reputation, money, and future opportunities. As interconnected devices are added to the IoT infrastructure of homes, restaurants, warehouses, and food production centers, individuals and businesses need to ask themselves three questions: How do these devices connect? How do I secure them? How do I update them?

“We literally have billions of these small devices with sensors that are going to be everywhere, from kitchens to trucks, and it’s very challenging to update those systems because designers haven’t thought about building auto-updates into them yet,” said Parker, who explained that there are billions of devices in use that will never be updated to current or future security standards. “Until all devices have that capability,” he said, “you’re going to still need to have a third-party security solution to watch over them.”