Could the Government’s cyber priorities leave us vulnerable?

The Chancellor of the Exchequer, Phillip Hammond, commented in the Government’s Cyber Security Strategy that £1.9bn will be invested over the next five years in defending our systems and infrastructure, deterring our adversaries and developing a whole society capability – from the biggest companies to the individual citizen.

However, you do have to wonder how this investment will be distributed amongst the differing cyber vulnerabilities, even though the strategy stresses that cyber threats impact all of society.

Clearly the key priorities for the Government in terms of cyber protection are security services, critical national infrastructure and big business. There is also an emphasis within the medical sector, as a hack of a connected healthcare device could obviously have drastic consequences and could endanger life. The raft of technology within the automotive sector has also left connected cars vulnerable, and high profile hacks have raised alarm bells in this sector as well.

However, these days everything is becoming connected. The smart home is not just a futuristic concept, it has well and truly arrived. Washing machines, toasters, fridges, lighting systems, TVs – you name it – if it has an electronic circuit it can be (and increasingly is) connected.

For manufacturers of these types of devices (who have traditionally never produced connected products and therefore have limited experience of digital security), it can be expensive and time consuming to incorporate security measures into the design process, much less make sure that the device is upgradable over time to respond as cyber threats evolve.

Because the Government’s focus is on the larger scale risks, our homes have been left open to attack. Indeed, it is entirely possible that the Government has actually exacerbated the problem. They have actively encouraged the uptake of smart meters in the home, describing them as ‘the next generation of gas and electricity meters which offer a range of intelligent functions’.

While this is certainly true, and www.gov.uk states that ‘Consumers will have a choice about how energy consumption data is used’, it doesn’t say much about how secure they will be. Security experts have been fairly vocal in claiming that smart meters are frequently insecure, with potential consequences of a hacked smart meter being power to a home being cut, or even causing a fire.

From the data gleaned from a smart meter a hacker could also see whether there were any expensive electronics within the home, and could potentially use the smart meter to hack the home’s security system – enabling them to gain entry without having to break in.

Examples like this are not in the far flung mists of the future, they are very real. As far back as 2009, an electric utility in Puerto Rico asked the FBI to help investigate widespread incidents of power thefts that it believed was related to its smart meter deployment. The FBI believed former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so.

It is thought that the smart meters were hacked using an optical converter device - such as an infrared light - connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the internet.

To emphasise the point around the variety and plethora of connected devices that could be a route into the home for the hackers, there have even been several instances of sex toys being hacked. These devices, which have undergone their own connected revolution in recent years, can obviously contain extremely sensitive and intimate information.

In April this year the BBC reported that Pen Test Partners, a provider of cyber security testing, described the difficulty of hacking into a particular sex toy (that features a camera), as ‘trivial’. There have even been instances of hackers being able to take control of sex toys remotely.

This raises the question of where liability resides if a connected device like this is hacked. Reviews of the law in the US could qualify hacks of this kind as sexual assault and it’s a matter of when, rather than if, a first case is brought before the courts.

Mitigating these risks will require an update to the communication protocols that connected devices use to communicate – some of which are over ten years old and very convoluted, more comprehensive implementations of devices like smart meters, and stronger vendor design principles where upgradable security is built-in at the device’s birth.

For the consumer in their smart home it is important for them to know their role in the security process – primarily by purchasing their devices from reputable manufacturers and not being lazy with their login credentials i.e. no ‘1,2,3,4’ or ‘password’ passwords! While doing this won’t make your device unhackable by any means, it will certainly slow the process down – increasing the chances of hackers getting fed up and moving on.

In addition, if your toaster, washing machine or dare I say, favourite sex toy, connects to the internet, it will do so in the same way as your laptop or smartphone and therefore, will need the same firewalls, WiFi protection and systems updates.

So, while there is a lot more the Government and device manufacturers could do to increase cyber security at EVERY level, the good news is that your hands are not completely tied and there are measures that the consumer can put in place to increase the chances of their smart home being a secure home.