Lock out: The Austrian hotel that was hacked four times

The internet of things (IoT) promises many advantages - smart cities with integrated transport systems, for instance - but it comes with a significantly increased cybersecurity risk. So how should we be tackling this new threat?

Christoph Brandstatter is managing director of the four-star Seehotel, Jagerwirt, in Austria's Alps.

His hotel's electronic door locks and other systems were hacked for ransom four times, between December 2016 and January 2017.

"We got a ransomware mail which was hidden in a bill from Telekom Austria," says Mr Brandstatter.

His hotel's door keys became unusable after he clicked on a link to his bill. So was his hard drive.

"Actually, as a small business you do not really think that anybody's interested in you for hacking, so we had no plan what to do," he recalls.

He paid a ransom of two bitcoins, saying "at that time it was about €1,600 (£1,406: $1,882)".

He has now installed firewalls and new antivirus software, and has trained his staff to recognise phishing emails that may seem genuine but actually contain malware.

And he's moved back to traditional metal keys.

"We've got good feedback about the old-fashioned keys," he says. "It gives guests a homely feeling."

On 5 December 2017, Mr Brandstatter received an email from Austrian police telling him his passwords had been found on a computer in the south of England.

This is the new threat presented by the internet of things - the growing number of devices connected to the internet, from keycard locking systems to coffee makers, security cameras to wi-fi routers.

Around 21 billion of these so-called "smart devices" will be in use by 2020, up from 6.4 billion in 2016, research firm Gartner believes.

These days, you can even get hacked through your fish tank.

A US casino's smart fish tank that could regulate its own salinity, temperature, and feeding schedules, was hacked earlier this year and used to gain access to the firm's wider network.

The hackers were able to steal 10 gigabytes of data from the casino's computers and store it on a device in Finland.

"It was a different type of attack, much more targeted and much more insidious, managing to break into an organisation and then move laterally," says Mike Lloyd, chief technology officer at Silicon Valley cybersecurity firm RedSeal.

Following the Mirai hack attack in 2016, we know how easy it is for hackers to gain control of computer networks through insecure devices and then use these "botnets" to launch attacks.

Cybergangs can hire these botnets to send spam or carry out massive DDoS [distributed denial of service] attacks that knock servers offline.

Meanwhile, "we're starting to see attacks focusing on compromising the integrity of data", says Jason Hart, chief technology officer for Dutch digital security firm Gemalto.

Hackers leave the data in place, but subtly change it, seducing a company into making a poor decision that benefits a competitor, or causes its share price to fall.

So what's to be done?

Conventional cyber-security software spots about 80% of attacks by learning and then recognising the unique signatures of each piece of malware that comes on to the market.

But with millions being created every week, keeping abreast of them is nigh impossible - lots slip through the net.

So cybersecurity companies have been developing a different approach, one that monitors the behaviour of the computer network and tries to spot dodgy behaviour.

For example, Eli David, co-founder of Tel-Aviv-based cybersecurity firm Deep Instinct, says his firm can spot 99% of IoT attacks.

Mr David, is a former university lecturer and an expert in deep learning, a branch of artificial intelligence.

In brief, machine learning algorithms monitor a network's "normal" activity - learning the usual patterns of behaviour of all the connected devices on that network. Once it has built up a picture of what is usual, it can then spot the unusual far more easily.

"Deep learning just looks at the raw binary [the patterns of zeros and ones]," he says, "so we don't care whether a file is from Windows, PowerPoint, or Android."

This real time behavioural monitoring requires speedy computing, so Deep Instinct uses powerful graphics processors made by Nvidia.

"The only thing that comes out of the lab is a small, pre-trained brain that is a deep learning model of about 10-20 megabytes," he says, "and this is the only thing we put on the devices."

But there are downsides, RedSeal's Mike Lloyd admits.

With deep learning algorithms it's often impossible to understand the basis on which they made a decision to flag up strange behaviour on the network. Sometimes perfectly innocent behaviour is identified as dubious.

And if the network behaviour changes legitimately, it can take a while for the algorithm to adapt to the "new normal", he says.

Companies like Aruba Networks, Vectra Networks and Alien Vault adopt this kind of automated monitoring approach. Another company, Darktrace claims that its machine learning and artificial intelligence algorithms create an "immune system" that enables the network to fight back against intruders.

Another challenge is simply finding out all the devices that are connecting to your network.

BeyondTrust makes detectors that scan wireless frequencies, while specialist search engines like Shodan.io can find them through the internet. And there are plenty of cyber-security companies, such as SolarWinds, offering device detection software.

The problem with IoT devices is that we often have to rely on the manufacturers to provide security updates. And they often can't be bothered.

So bodies, like the European Commission, are exploring the introduction of minimum smart device security standards.

"We need a regulatory Kitemark - we have it for cars and batteries," says Rik Ferguson, vice president of cybersecurity firm Trend Micro.

"The European Commission is looking at this very carefully," says Raphael Crouan, secretary of the EC's Alliance for Internet of Things Innovation.

"It's always a question for regulatory bodies, not wanting to limit innovation," he says.

Regulation and legislation always seem to play catch-up with technology.

Dave Palmer, technology director at UK threat intelligence firm Darktrace, says: "I think in five years we'll suddenly get secure products because people will throw away their first smart televisions and video conferencing units - it's a natural cycle."

Until then, the hackers could have a field day.