digisoc2: IoT and Mechatronic Hazards
Car companies tout their latest and greatest safety technology at auto-expositions. The average American spends days researching safety features before buying a new car. Why don’t we give smart-home devices the same scrutiny? Most Internet of Things (IoT) devices don’t even mention their safety or security features on the box. And yet, we fill our houses and cover our bodies with smart things. The threat landscape has changed, now that computers can interact with the physical world. No customer thinks “Oh, I sure hope this light bulb doesn’t expose my house to hackers.” Why don’t we care more?
The Internet of Things is fundamentally prone to poor security, because of conflicting product design and maintenance cycles. Digital and mechanical products are designed differently. Software vendors will release a minimum viable product as soon as possible, then patch it over the course of its life. Mechanical products are rigorously designed before they get put on retail shelves, so as to get it right the first time around. This is because releasing a firmware update is convenient, but issuing a recall of a physical product can cost millions of dollars. It’s difficult to support mechanical devices after they’ve been released.
IoT falls in an unfortunate middle ground. Some aspects of IoT are dynamically supportable, while some aspects are hard to change after leaving the warehouse. The difference in product design cycles make IoT devices rushed in some aspects and overdeveloped in others. Billy Rios, an IoT cyber security researcher, argues that “Security should be at the core of the design of all IoT devices — not an afterthought, or worse, reactive after the damage has been done,” and yet security is often the first thing to be compromised.
The traditional cyber security value model prioritizes confidentiality, integrity, and availability. These come in dual pairs; namely disclosure, alteration, and denial. For IoT devices capable of physical actuation, the ability to act upon its surroundings, this model fails to address the whole situation. It misses the duality of safety and hazard. OSHA defines hazard as “Any source of potential damage, harm or adverse health effects on something or someone,” and has ample resources as to how to address it. Hazard is well defined in occupational safety, a subset of mechanical and reliability engineering.
Despite hazard’s clear definitions and regulations in engineering, cyber security specialists lack the common terminology to use it. Most cyber security blogs only talk about IoT’s potential to make botnets and network soft-points. Few cyber security specialists have backgrounds in mechatronics, let alone any non-digital aspect of IoT. They fail to address the risk of physical injury, bodily harm, or public safety. Our professionals are unprepared for the incoming threat landscape. More and more internet connected, publicly accessible, physically actuatable devices will proliferate the market. This can, will, and has already led to catastrophic attacks.
In recent years, there have been a few landmark cases of IoT being used to cause physical hazards. In 2014, a German steel mill was hacked to cause immense damage. This attack required ample knowledge in both cyber penetration and mechanical operation of a blast furnace. In 2017, Billy Rios and Dr. Jonathan Butts hacked a car wash to become effectively a torture chamber. Most lists of landmark IoT hacks don’t mention either of these. The risks of IoT hazards are real, and only becoming greater as we expose ourselves to an increasingly connected world.
10 years ago, nobody would have guessed that Americans would willingly surround themselves with surveillance equipment, but now 69% of homes have some form of smart device. Few of these are capable of physical actuation, but who knows what homes will look like by 2030? Smart thermostats threaten to take down power grids and make offices inhospitable. Self driving cars threaten to cause mass accidents, hit pedestrians, and take down critical infrastructure. Smart ovens, smart pressure cookers, and smart kettles threaten to burn houses down.
Last semester I had the opportunity to attack an LG ThinQ smart oven. My goal was to remotely burn a house down just over wifi, exploiting both software and mechanical systems, to demonstrate what an IoT hazard might look like. Billy Rios and Dr. Jonathan Butts formalized “The Security Law of Cyber Physical Systems: The mechanical functions of a cyber physical system are bounded only by the physical limits of the hardware components,” arguing that there is potentially a payload wherever more is mechanically allowed than intended. When smart ovens limit their maximum temperature with software, then they are vulnerable to exploitation with software.
What should we be doing? For those of us pursuing mechatronics or cyber security, it’s critical that we talk to each other and build a common language. Cyber journalists should collaborate with occupational safety journalists. Software development teams should sit closer to mechanical development teams. For everyone else, we need to vote with our wallets and incentivize safety and security. As consumers, our demands tell companies what to produce. Paying the premium for safe and secure products is worth it in the long run. We should be conscious with how safe our smart home devices truly are.
One should ask, why hasn’t anything been done about this yet? Cyber security journalists write about botnets and network softpoints because they’ve caused catastrophes before. People have lost money and data, and have had websites and services taken down. Policymakers can justify throwing money at these causes because there is evidence of loss. But nobody has been killed by a smart oven yet. IoT’s safety risks will continue to be unaddressed until someone gets hurt, or until we make companies aware of the risk of IoT hazard.
