​How Europol Plans to Police the Internet of Everything

The Internet of Things—the new age of devices with digital connectivity—is already being abused by cybercriminals. Fridges and smart TVs are being commandeered for spam-sending botnets, and the troves of personal data leaked by household items makes them vulnerable to hack attacks.

But Europol, the European Union's law enforcement agency, is already looking one step further, to the Internet of Everything. This, it explains, is "the next evolutionary stage of the Internet of Things."

Going beyond just having a responsive thermostat in your home, the Internet of Everything (IoE) is the convergence of communications between machines (M2M), communications between people and machines (P2M), and digital communications from person to person (P2P). Everything and everyone is connected.

One section of Europol's new report, The Internet Organised Crime Threat Assessment (iOCTA), lays out what threats, obstacles, and developments the agency reckons it will need to consider in order to control this potential new avenue for criminality.

As for what the criminals might actually do when they gain access to these networked systems, Europol envisions new blackmailing and extortion schemes, perhaps in the form of ransomware applied to cars or even smart homes. Presumably, this would work in a similar way to ransomware on a computer: Imagine having to send a hacker a wad of bitcoin before they'll relinquish control of your vehicle.

The report also predicts that attacks could lead to "physical injury and possible death," referencing an earlier prediction that, soon, "We will witness the first ever public case of murder via hacked Internet-connected device." This could be through something like a hacked pacemaker—which we already know is theoretically possible.

There will also likely be an increase in data theft (especially as more stuff is stored in the cloud), and new types of botnets.

The report gives an overview of what the IoE looks like today, such as the possibility of hacking attacks on cars, and points out that the industrial-scale systems behind critical infrastructure are also particularly weak. "These systems have vulnerabilities, are often poorly protected or run on software that has reached end-of-life (EOL) such as Windows XP," it states.

As more devices get rolled out, the report suggests that the hardware and software they use may become more standardised. "We can expect to see a higher degree of homogeneity or standardisation," it says. This would increase the chance of a single fault—perhaps in a piece of underlying software—affecting a "potentially very large number of devices thereby creating a large number of potential victims."

You could compare this possibility with something like the Shellshock bug, in which a fundamental vulnerability exposed operating systems on many devices to attacks. Something similar could apply to connected cities, or key IoE infrastructure.

And when more items get connected to the internet, they'll introduce a whole new set of problems for law enforcement because of the sheer variety of things to worry about. "The Internet of Everything presents specific investigative challenges for LE [law enforcement] because of the number and diversity of hardware, software and communication protocols that LE needs to be able to examine, and in terms of identifying the devices and extracting the data that are of relevance to a particular case," the report states.

On top of this, because many items will exchange or store data in the cloud, with servers potentially located anywhere on the planet, Europol will need cross-border co-operation and legal assistance to obtain the information they're after in some cases. There's also the standard Big Data noise problem of needing to filter through masses of evidence to find the relevant information.

In the end, pinning a charge on criminals may also become harder anyway, Europol says, because "it can be expected that the IoE will further complicate the attribution of crimes, given the increased attack surface and large number of attack vectors."

When it comes to combating these upcoming threats, Europol doesn't really have much specific advice to offer just yet. Generally, it suggests that the IoE industry should consider security in their products and services more seriously; recommends that law enforcement agencies get better tools for analysing data; and asks that policymakers keep up to speed with regulating the fast-developing industry.