In 2010 a malicious computer worm called Stuxnet was uncovered in the Iranian uranium enrichment facility Natanz. For months it had been wrecking havoc on centrifuges that played a vital function in the enrichment of uranium that would ultimately be used to develop nuclear weapons. The way Stuxnet worked was as follows. First it infects a machine through a USB drive containing a Windows shortcut that automatically runs an executable file. The worm then spreads across the facility’s network. If the device it is on does not meet certain requirements the worm remains inert causing no damage. However, once the worm meets the device it was designed to interact with, in this case Siemens’ WinCC SCADA control software, Stuxnet installs its malware. While the specifics are very complicated, what this malware essentially does is periodically change the frequency of a programmable logic controller (PLC) that determines how quickly the centrifuges used to enrich uranium rotate. Additionally, it masks the changes in rotational speed from the system used to monitor them.
Because of this, Stuxnet reduced the centrifuge operational capacity at Natanz by 30 percent. It caused a number of serious nuclear accidents and cost the facility massive amounts of money to replace the broken centrifuges. Though much of the specifics are still unknown, it is believed that Stuxnet was active as early as November 2007. That means that the worm was causing physical damage while remaining undetected for three years before finally being stopped. The worm is believed to be the result of a collaboration between the US and Israeli military though neither country has openly confirmed this.
Stuxnet is an incredibly important cyber weapon not because of its massive impact in stunting Iranian nuclear weapon development but because it was the first large-scale case of a worm escaping the digital realm and causing real physical damage. It provided the world with proof that physical damage can result from malicious code spread over a network.
The Internet of Things (IoT) is the network created by all the different smart devices we interact with. This network lets these devices communicate with one another to improve our everyday lives and make the world an all around better place. It is through this network that we get incredible technological achievements like the smart home, large-scale automation, and driverless cars.
On its surface the Internet of Things offers an incredible opportunity to make our devices work even more effectively then they already do. Imagine living in a futuristic smart home where the moment your alarm goes of the curtains are automatically drawn back, Alexa is reading your schedule, coffee is being made, and bread is toasted to perfection everytime. It seems ideal but Stuxnet reveals the more sinister things that can easily occur should we continue to ignore the issue of IoT security.
At this point, I believe it is inevitable that we will soon live in a world where cars are made without steering wheels. These cars will drive us wherever we need to go and will communicate with all the other cars on the road to maximize traffic flow and minimize accidents. For this to happen all the cars must be broadcasting and receiving information from a network. Through simply existing, this network is a security concern. Given enough time and intelligence, a malicious group could develop a method to spread a worm over this network, just like Stuxnet across Natanz’s network. This worm could then install malware to allow for the cars to be controlled not by what is typed into a GPS but by those who made the worm. Suddenly, every car on the road is a weapon.
The above may sound like a lot of fearmongering but that is not the goal of this article. Rather, I wanted to try and show that malicious software is capable of far more than data breaches and crashing websites. It can serve as a tool to inflict physical damage on a massive scale from thousands of miles away. This is cause for serious concern. The good news is IoT and automation companies like Tesla, Google, and Amazon are aware of these potential issues and have built into their smart devices security protocols to protect against them. Tesla, for instance, consistently provides software security updates and Elon Musk himself said that preventing a fleet-wide hack is Tesla’s top security concern. While this is a good sign there are many smaller companies out there that create IoT devices that do not focus on security (see here). This is concerning if everything is ultimately going to be connected over the same network because these cheaper devices could act as a potential gateway for a worm to reach a more important, secure device.
Ultimately, it is the responsibility of us as consumers and voters to put cybersecurity first. It is inevitable that the IoT will continue to expand in the coming decades. This is a good thing but only if we also demand that regulations be put in place to ensure that no matter what the device is, from the smart toothbrush to our cars, it meets a consistently up-to-date security standard. Until then we should purchase smart devices carefully and pay attention to our own usage habits such as the WiFi networks we connect to and the passwords we use. The world of the future is always exciting to think about but if we do not focus on security now it will be a world open to abuse.