IoT hacks cost companies a lot of money. The overall cost of an IoT system hack varies depending on the number of affected devices, how quickly it’s discovered, and the length of time an issue persists. However, research from UC Berkeley attempted to quantify how much IoT hacks cost operators and consumers. It focused on distributed denial of service (DDoS) attacks involving IoT devices. Whether from DDoS or other attack vectors, the cost can be in the hundreds of thousands of dollars.
In one 2016 attack, security cameras were among the IoT devices affected in an issue that took the KrebsOnSecurity website down for 77 hours and cost consumers more than $323,000 due to the resultant excessive power and bandwidth consumption of consumers’ devices.
Attacks Damage Revenue
Another study of small businesses in the U.S. that use IoT discovered notable revenue losses from IoT breaches. The survey polled approximately 400 IT leaders from 19 industries and found 48 percent had already experienced at least one IoT breach.
Additionally, the research showed that among companies with under $5 million in revenue, the costs of IoT hacks made up 13.4 percent of annual revenue. For larger organizations, that cost was in the tens of millions of dollars.
It’s important to realize, too, that security mistakes are commonplace in organizations, making insecure passwords, forgotten security procedures and a lack of policy enforcement contribute to cybersecurity attacks of all kinds, not just those related to IoT devices. Positively, though, preparedness for such attacks minimizes the risk of them occurring.
Hack Scenarios and Attack Vectors
Ever since an attack on the Ukrainian power grid forced a portion of the country into darkness a couple of years ago, people have nervously wondered about what such an attack could do to a populous, digital dependent country like the US.
It’s useful to know the average cost of power outages. According to 2015 data, electrical failures could cost operators and downstream businesses more than $179,000 per day. Places that are particularly dependent on power, such as healthcare organizations, might see expenses more than triple the average.
Healthcare organizations face average costs of $690,000 per outage, according to a Ponemon Institute/Emerson Network Power report. Add in the potential for the loss of life, and that calculation becomes imponderable. — Peter Maloney (Microgrid Knowledge)
Research shows manufacturers suffer the most due to such attacks. Even a brief assembly-line shutdown could cost a factory operator to start losing money as soon as it happens—or before if machines are being compromised without the operator’s knowledge.
Two hypothetical scenarios could allow hacked IoT devices to compromise energy grids. The first involves hacking into and simultaneously activating utility-related IoT devices, such as those that control lights, thereby overwhelming the grid and triggering outages.
There’s also a good chance that hackers might take a less direct approach, hacking a vast number of devices and manipulating them so slightly that energy usage goes up unnoticeably at each node but a lot overall. The long-term effects of this kind of attack could cause significant systemic challenges—not to mention lost revenue.
As cybersecurity researchers point out, one of the unsettling things about IoT devices is that cybercriminals could impact multiple poorly secured IoT devices, doing damage to each and making it increasingly difficult to find the root problem. It doesn’t help that manufacturers often delay releasing security patches or don’t prioritize making secure devices.
IoT devices are relatively new and manufacturers lack experience engineering them. Also, IoT is such a fast-moving industry that the goal is to release the latest, greatest connected devices before competitors offer similar products. That mindset means security becomes an afterthought. Many companies only think about if an IoT hack occurs.
[bctt tweet=”#IoT is such a fast-moving industry that the goal is to release the latest, greatest connected devices before competitors offer similar products. That mindset means #security becomes an afterthought. Many companies only think about if an IoT #hack occurs. || #IoTforAll” username=”iotforall”]
Severe Hacks Might Dampen the Industry’s Growth
Statistics published in August 2018 indicate there are more than 17 billion connected devices globally. Considering the IoT market is relatively new, that adoption rate is impressive and suggests people are ready for what IoT device manufacturers dream up. However, a large-scale and upsetting hack could cool the intoxication with IoT technologies.
In March 2018, Amazon smart speaker owners freaked out when Alexa laughed unexpectedly and without being prompted. Amazon quickly fixed the bug that caused the cackling, but not before people weighed in on Twitter and posted videos of their speakers behaving strangely.
Additionally, people have used IoT devices for malicious reasons, such as in a case from the United Kingdom where allegations say a husband spied on his estranged wife through a wall-mounted iPad. However, he contends he only accessed the app to change the TV volume and lighting.
In a copycat scenario, a cyber intruder would not necessarily need hacking knowledge for network access. For example, if a homeowner didn’t change the app password once a relationship broke down, an upset ex or relative could log in remotely and control things from afar. Such a possibility brings a new, alarming dimension to potential domestic abuse tactics.
If IoT devices frequently become associated with disturbing consequences, people may decide they’re not worth the investment. Such an outcome would dampen consumer spending on IoT devices, leaving device makers scrambling to recover from thwarted growth projections.
These examples show why people should not merely consider IoT hacks as things that could happen “someday.” Serious hacks have already occurred. Experts say more serious ones could be on the horizon. It’s time for industry leaders in both hardware and software to face these systemic risks and reassure end-users.