Hélène Chauveau Head of Emerging Risks at AXA

How my fridge caused hundreds of websites to crash

Inside the Emerging Risks Room
Jul 5, 2017

Before we can prevent the risks of tomorrow, we need to think of them today. In this series, we present three experts with an imaginary crisis that could happen in five to ten years. How can we avoid it? How can we prepare for it? How can we manage the potential fallout? The answers are in the Emerging Risks Room.

December 11, 2022. 11:15 pm. Paris. Unable to stifle a yawn, Paul Lambert groped to find the remote control on the couch and switched off the TV set. Moving silently – the rest of the family was already in bed – he crept into the kitchen. When he opened the refrigerator door for a drink, a familiar beep sounded. The built-in touchscreen lit up: “Need eggs, orange juice, chicken. Next order scheduled for December 13. Remember to confirm by December 12.” Without glancing at the display now asking him to confirm his next shopping list, Paul shut the refrigerator door. “I'll have to remember to do that tomorrow,” he said to himself as he left the room. What Paul didn't know at the time was that this convenient appliance (“How did we ever manage before?” he would often say) would be all over the headlines in the coming weeks.

At that very moment, in the headquarters of one company, like several others from a range of sectors, the atmosphere on the executive floor was fraught with tension. Raised voices could be heard behind the closed doors of the main conference room. Curious for a Sunday. Especially at this late hour of the night.

From the discussion, it was clear that the subject was not the latest earnings release but the crash of the company's website. Along with the potential threat of an intrusion in its IT systems. What they didn't know is that many of their competitors, as well as their partners and even customers, were in the same situation. And only a minority of those affected were aware of the problem.

Just before midnight, hundreds of websites had been simultaneously attacked in the same manner: one or more hackers had gained control over a multitude of connected objects – like Paul Lambert's refrigerator. First, they attempted to retrieve personal data, ranging from simple email addresses to physical locations using log files or audio and video recordings.

The next step – the phase happening now – was to use connected objects as relays for a massive denial-of-service assault, or a DDoS attack for the tech-savvy. Hackers exploit these IoT devices, which are less secure than most traditional servers, to overwhelm targeted website servers and render them unavailable. Or, if they can, simply put them out of service.

Most IT managers would discover the damage upon arriving at the office on Monday morning. Or maybe they would be alerted at home by a message from their marketing officer, alarmed to see online sales for the evening dwindle near to zero.

Meanwhile, Paul Lambert's refrigerator would continue its assault. Without making a sound.

Consequences
No. 1 | Loss of trust |

Sales of connected refrigerators and other everyday devices, blamed for opening the door to hackers, abruptly collapse.

No. 2 | Financial impact |

Consumers abandon the impacted brands, causing their stock prices to fall, and bringing down the major online shopping sites in the process.

No. 3 | Class action |

Owners of the connected objects that were hacked and whose personal data was stolen bring lawsuits against the suppliers.

<Why this can happen>

October 2016: a global attack against Dyn, an infrastructure provider, jolted the public into awareness of the potential harm that nonsecure connected objects could cause. Within a few hours, many websites – including highly popular ones – had become completely unresponsive.

But despite recognition from all digital players – from hardware manufacturers to developers and including intermediaries and regulatory authorities – that security protocols must be reinforced, the market continues to grow at a brisk pace.

The Internet of Things is spreading beyond the industrial world (the smart grid, for example) into households, especially in Europe and the United States. Devices and services for the quantified self, smart homes and everything in between are multiplying.

16 billion
Connected objects in the world in 2021

By 2021, the number of connected objects will multiply by 3.4 and reach 16 billion worldwide

4.6 billion
Connected objects in the world in 2015

Source: 2016 Ericsson Mobility Report

In 2014, prototypes of connected refrigerators are believed to have been used to perpetrate DDoS attacks, like the one against Dyn. Since then, the first smart fridges produced for sale to consumers have been presented to the public. Although it will still be some time before they are commonly seen in our kitchens, some researchers are already working on pinpointing their security flaws. For example, one model that displays the user's personal calendar by connecting to their email service does not sufficiently protect access to personal data. In theory, a hacker could exploit this weakness to steal login data.

Enter the Emerging Risks Room

Members
Hélène Chauveau, Head of Emerging Risks, AXA Group
Emerging_Risks_Team
Hélène Chauveau, Head of Emerging Risks, AXA Group
Director of Strategy and Public Affairs at Orange Cyberdéfense
Nicolas_Arpagian
Director of Strategy and Public Affairs at Orange Cyberdéfense
Executive Managing Director of Stroz Friedberg
Rocco_Grillo
Executive Managing Director of Stroz Friedberg
Group Head of Framework and IRM Program Management, AXA
Jean-Baptiste_Petit
Group Head of Framework and IRM Program Management, AXA

Illustrations by Léonard Dupont