We are all lucky enough to live a world full of interconnected devices, which is certainly cool and convenient because it’s so easy to keep remote things at your fingertips wherever you are. The flip side of this whole technical sophistication is that anything connected to the Internet is potentially vulnerable. Cybercriminals are busy looking for ways to compromise various smart devices and have had quite a bit of success doing it. It turns out that the Internet of Things is low-hanging fruit for threat actors. The hack scenarios below might seem like science fiction, but they are absolutely real these days.
The Internet has penetrated seemingly all technological advances today, resulting in Internet for ALL THE THINGS. What was once confined to a desktop and a phone jack is now networked and connected in multiple devices, from home heating and cooling systems like the Nest to AI companions such as Alexa. The devices can pass information through the web to anywhere in the world—server farmers, company databases, your own phone. (Exception: that one dead zone in the corner of my living room. If the robots revolt, I’m huddling there.)
This collection of inter-networked devices is what marketing folks refer to as the Internet of Things (IoT). You can’t pass a REI vest-wearing Silicon Valley executive these days without hearing about it. Why? Because the more we send our devices online to do our bidding, the more businesses can monetize them.
Unfortunately, the more devices we connect to the Internet, the more we introduce the potential for cybercrime. Analyst firm Gartner says that by 2020, there will be more than 26 billion connected devices—excluding PCs, tablets, and smartphones. Let’s talk about the inherent risks with IoT.
IoT Cybercrime Today
Both individuals and companies using IoT are vulnerable to breach. But how vulnerable?
- Can criminals hack your toaster and get access to your entire network?
- Can they penetrate virtual meetings and procure a company’s proprietary data?
- Can they spy on your kids, take control of your Jeep, or brick critical medical devices?
So far, the reality has not been far from the hype. We have seen a smart refrigerator was hacked and began sending pornographic spam while making ice cubes. Baby monitors being used to eavesdrop on and even speak to sleeping (or likely not sleeping) children. In October 2016, thousands of security cameras were hacked to create the largest-ever Distributed Denial of Service (DDoS) attack against Dyn, a provider of critical Domain Name System (DNS) services to companies like Twitter, Netflix, and CNN. And in March 2017, Wikileaks disclosed that the CIA has tools for hacking IoT devices, such as Samsung SmartTVs, to remotely record conversations in hotel or conference rooms. How long before those are commandeered for nefarious purposes?
Privacy is also a concern with IoT devices. At present, IoT attacks have been relatively scarce in frequency, likely owing to the fact that there isn’t yet huge market penetration for these devices. If just as many homes had Cortanas as have PCs, we’d be seeing plenty more action. With the rapid rise of IoT device popularity, it’s only a matter of time before cybercriminals focus their energy on taking advantage of the myriad of security and privacy loopholes.
Security and privacy issues
According to Forrester’s 2018 predictions, IoT security gaps will only grow wider. Researchers believe IoT will likely integrate with the public cloud, introducing even more potential for attack through the accessing of, processing, stealing, and leaking of personal, networked data. In addition, more money-making IoT attacks are being explored, such as cryptocurrency mining or ransomware attacks on point-of-sale machines, medical equipment, or vehicles. Imagine being held up for ransom when trying to drive home from work. “If you want us to start your car, you’ll have to pay us $300.”
Privacy and data-sharing may become even more difficult to manage. For example, how do you best protect children’s data, which is highly regulated and protected according to the Children’s Online Privacy Protection Rule (COPPA), if you’re a maker of smart toys? There are rules about which personally identifiable information can and cannot be captured and transmitted for a reason—because that information can ultimately be intercepted. Privacy concerns may also broaden to include how to protect personal data from intelligence gathering by domestic and foreign state actors.
Your smart coffee machine acting up? Might be a red flag
Parental control systems are vulnerable, too
How about smart locks? Amazon Key?
Mobile voice assistants aren’t much safer
Your work computer got locked down by malware
Dating services are full of impostors
Smart home is a vulnerable home, period
Even Tesla car, the next big thing, is hackable
So where are IoT defenses? Why are they so weak?
Seeing as IoT technology is a runaway train, never going back, it’s important to take a look at what makes these devices so vulnerable. From a technical, infrastructure standpoint:
- There’s poor or non-existent security built into the device itself. Unlike mobile phones, tablets, and desktop computers, little-to-no protections have been created for these operating systems. Why? Building security into a device can be costly, slow down development, and sometimes stand in the way of a device functioning at its ideal speed and capacity.
- The device is directly exposed to the web because of poor network segmentation. It can act as a pivot to the internal network, opening up a backdoor to let criminals in.
- There’s unneeded functionality left in based on generic, often Linux-derivative hardware and software development processes. Translation: Sometimes developers leave behind code or features developed in beta that are no longer relevant. Tsk, tsk. Even my kid picks up his mess when he’s done playing. (No he doesn’t. But HE SHOULD.)
- Default credentials are often hard coded. That means you can plug in your device and go, without ever creating a unique username and password. Guess how often cyber scumbags type “1-2-3-4-5” and get the password right?
From a philosophical point of view, security has simply not been made an imperative in the development of these devices. The swift march of progress moves us along, and developers are now caught up in the tide. In order to reverse course, they’ll need to walk against the current and begin implementing security features—not just quickly but thoroughly—in order to fight off the incoming wave of attacks.
How to Protect your device?
What can regular consumers and businesses do to protect themselves in the meantime? Here’s a start:
- Evaluate if the devices you are bringing into your network really need to be smart. (Do you need a web-enabled toaster?) It’s better to treat IoT tech as hostile by default instead of inherently trusting it with all your personal info—or allowing it access onto your network. Speaking of…
- Segment your network. If you do want IoT devices in your home or business, separate them from networks that contain sensitive information.
- Change the default credentials. For the love of God, please come up with a difficult password to crack. And then store it in a password manager and forget about it.
The reason why IoT devices haven’t already short-circuited the world is because a lot of devices are built on different platforms, different operating systems, and use different programming languages (most of them proprietary). So developing malware attacks for every one of those devices is unrealistic. If businesses want to make IoT a profitable model, security WILL increase out of necessity. It’s just a matter of when. Until then…gird your loins.