The Internet of Things: What We Can Learn From Stuxnet

In 2010 a malicious computer worm called Stuxnet was uncovered in the Iranian uranium enrichment facility Natanz. For months it had been wrecking havoc on centrifuges that played a vital function in the enrichment of uranium that would ultimately be used to develop nuclear weapons. The way Stuxnet worked was as follows. First it infects a machine through a USB drive containing a Windows shortcut that automatically runs an executable file. The worm then spreads across the facility’s network. If the device it is on does not meet certain requirements the worm remains inert causing no damage. However, once the worm meets the device it was designed to interact with, in this case Siemens’ WinCC SCADA control software, Stuxnet installs its malware. While the specifics are very complicated, what this malware essentially does is periodically change the frequency of a programmable logic controller (PLC) that determines how quickly the centrifuges used to enrich uranium rotate. Additionally, it masks the changes in rotational speed from the system used to monitor them.

stuxnet

Because of this, Stuxnet reduced the centrifuge operational capacity at Natanz by 30 percent. It caused a number of serious nuclear accidents and cost the facility massive amounts of money to replace the broken centrifuges. Though much of the specifics are still unknown, it is believed that Stuxnet was active as early as November 2007. That means that the worm was causing physical damage while remaining undetected for three years before finally being stopped. The worm is believed to be the result of a collaboration between the US and Israeli military though neither country has openly confirmed this.

Stuxnet is an incredibly important cyber weapon not because of its massive impact in stunting Iranian nuclear weapon development but because it was the first large-scale case of a worm escaping the digital realm and causing real physical damage. It provided the world with proof that physical damage can result from malicious code spread over a network.


 

The Internet of Things (IoT) is the network created by all the different smart devices we interact with. This network lets these devices communicate with one another to improve our everyday lives and make the world an all around better place. It is through this network that we get incredible technological achievements like the smart home, large-scale automation, and driverless cars.

On its surface the Internet of Things offers an incredible opportunity to make our devices work even more effectively then they already do. Imagine living in a futuristic smart home where the moment your alarm goes of the curtains are automatically drawn back, Alexa is reading your schedule, coffee is being made, and bread is toasted to perfection everytime. It seems ideal but Stuxnet reveals the more sinister things that can easily occur should we continue to ignore the issue of IoT security.

At this point, I believe it is inevitable that we will soon live in a world where cars are made without steering wheels. These cars will drive us wherever we need to go and will communicate with all the other cars on the road to maximize traffic flow and minimize accidents. For this to happen all the cars must be broadcasting and receiving information from a network. Through simply existing, this network is a security concern. Given enough time and intelligence, a malicious group could develop a method to spread a worm over this network, just like Stuxnet across Natanz’s network. This worm could then install malware to allow for the cars to be controlled not by what is typed into a GPS but by those who made the worm. Suddenly, every car on the road is a weapon.

The above may sound like a lot of fearmongering but that is not the goal of this article. Rather, I wanted to try and show that malicious software is capable of far more than data breaches and crashing websites. It can serve as a tool to inflict physical damage on a massive scale from thousands of miles away. This is cause for serious concern. The good news is IoT and automation companies like Tesla, Google, and Amazon are aware of these potential issues and have built into their smart devices security protocols to protect against them. Tesla, for instance, consistently provides software security updates and Elon Musk himself said that preventing a fleet-wide hack is Tesla’s top security concern. While this is a good sign there are many smaller companies out there that create IoT devices that do not focus on security (see here). This is concerning if everything is ultimately going to be connected over the same network because these cheaper devices could act as a potential gateway for a worm to reach a more important, secure device.

bn-kt382_1014_c_g_20151014112411

Ultimately, it is the responsibility of us as consumers and voters to put cybersecurity first. It is inevitable that the IoT will continue to expand in the coming decades. This is a good thing but only if we also demand that regulations be put in place to ensure that no matter what the device is, from the smart toothbrush to our cars, it meets a consistently up-to-date security standard. Until then we should purchase smart devices carefully and pay attention to our own usage habits such as the WiFi networks we connect to and the passwords we use. The world of the future is always exciting to think about but if we do not focus on security now it will be a world open to abuse.

6 thoughts on “The Internet of Things: What We Can Learn From Stuxnet

  1. Really cool post David! The Internet of Things is a particularly intriguing topic since I always forget how interconnected all of our devices really are. Having this interconnection was always seen as a positive, but when sabotage and risk comes to mind it can clearly wreck havoc. Something major companies and individuals need to be prepared for!

    Like

  2. Great post David. I remember a funny episode of Silicon Valley where a smart refrigerator was hacked, but as your post shows, hacking something like an autonomous vehicle is no joke. I think your call for a strong data-security standards is right, but what might even be more difficult than getting the right policies in place (given the lack of tech knowledge of many in govt.) is the unknown unknowns out there, the possible gaps and malfunctions in code that we don’t even know exist. Definitely a big sector of tech to keep an eye on though over the next couple of years.

    Like

  3. Hey, David! Great post! I feel like whenever you see articles and news about the possibilities for the Internet of Things, they’re largely explained in a positive light. This was very educational on the more sinister side of things. I has personally never heard of Stuxnet, but after learning about it and your explanation of the potential widespread implications of worms like those, I definitely feel like we all need to be more proactive about being conscious of these issues.

    Like

  4. Hi David! Great post! I have seen a TedTalk session on Stuxnt, but you have done so much better in simplifying the story for us to understand the processes and problems!
    I came across a picture of an article published in 2000 with the headline “Hackers can Turn your Home Computer into a Bomb & blow your Family to Smithereens!” (https://security.stackexchange.com/questions/13105/is-it-possible-to-turn-a-computer-into-a-bomb) It sounds funny and absurd, but as we become more and more dependent on technology and internet, the impact of malfunction and malware is greatly magnified. I think we really should stress on the importance of cybersecurity.

    Like

  5. Great post David. I remember watching some news thing where someone showed how they hacked cars that weren’t even self driving. They just hacked into the computer and software that already exists within cars we use today. I’ll be the first to say that this is something I’ve always been paranoid about. Everything we use is dependent on computers and hackable software already to the point where I’m honestly surprise these sorts of crazy hacks haven’t happened more

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s