Can hackers really break into your home network through the baby monitor? Or disable your car by hacking the Engine Management System? Watch this 3-minute video from CISCO to appreciate the possibilities, in this case breaking into a business via the thermostat and stealing industrial secrets. We take a closer look at IoT: what it is, and what you need to know to protect yourself.
The Internet of Things (IoT). Sounds innocuous enough, doesn’t it? A bit like ‘days of our lives’ or ‘the life of dogs’. Sure, convenience flows from IoT (a bit like having a dog that can make an espresso), but there are pitfalls: maybe the dog can’t tell ground coffee from ground black pepper.
IoT describes a mysterious world that’s right under our noses yet invisible to the naked eye. The ‘things’ we’re talking about here are internet-connected electronic devices that are being added to TVs, cars, fridges, medical devices, dog collars and a lot, lot more at a dizzying pace. There are some 25 billion IoT devices in use around the world, and that number is growing fast.
We have the technology, and as usual it’s run away from us before we’ve had a chance to examine the consequences. WIRED tells us that ‘the long-predicted IoT crisis is here, and most devices simply aren’t ready.’ It doesn’t look much better in the business world, where the connection of IoT devices to corporate and government networks will make yet more work for IT security teams that are already stretched beyond their capacities.
What’s so good about IoT Devices?
An obvious benefit for vendors is the ability to monitor their devices and solve technical problems or upgrade firmware remotely. Say your car has a fault in the engine management system that the dealer can’t identify. Savvy techies at the company’s HQ can run tests, analyse data, tell the dealer what the problem is and how to fix it. And maybe install an upgrade or fix for the latest firmware. Very convenient for the vendor and for you.
The story gets a bit more murky when we look at the current fad for smart speakers, devices people like to stick in every room so they can give orders to their electronic butler, play some music, update the shopping list, check the weather forecast or the latest news. These voice-activated virtual assistants go by names like Amazon Echo, Google Home and Apple HomePod, speakers. ‘Are they helping hands or Trojan Horses?’ asks John Kruzel at Politifact. More on this in our post Every Move you Make.
Then there’s all that wearable technology, which ranges from fitness monitors to eye glasses and smart watches that can order take-away meals with a simple voice command from their wearers. Michelle Drolet from CSO makes a really good point here: ‘The kinds of discreet abilities that many modern wearable devices have in terms of video and audio surveillance surpass high-end spy gear from just a few years ago.’ Eat your heart out, James Bond.
Great Technology or Heaven for Hackers?
IoT clearly has the potential to make life easier. The downside is that these devices communicate via IP networks, and this opens new points of entry for hackers mainly because connections are anything but secure (we come to reasons below). Could they disable your pacemaker or cause your car to crash?
‘Smart buildings, HVAC and even physical security technologies are now connected,’ The SANS Institute summed up the state of affairs recently. ‘The latest wave of “things” … includes but is not limited to automobiles, airplanes, medical machinery and personal (implanted) medical devices, and SCADA systems (windmills, environmental sensors, natural gas extraction platforms, hydro systems ….)’
According to WIRED, the most common exploits are designed to conscript thousands of vulnerable IoT devices into botnets, or getting access to a network through a weak IoT device for ransomware attacks.
Smart Devices for a Smarter World
The Internet of Things makes many promises, from smart cars that read e-mails to you as you drive, smart fridges that remind you to buy milk on the way home, to smart medical devices that let your doctor check on you from afar. ‘Entire cities in South Korea are already rushing to link their infrastructure to the web to make it more efficient and improve services,’ says an article headed Home, Hacked Home in the Economist.
The possibilities are mind-numbing, and the implications for security and privacy even more so. The urban myth of your fridge being hacked and sending your friends spam emails has become reality: in late in 2013, an IT security company reported that an internet-connected fridge had sent out more than 750,000 spam and phishing emails over the Christmas break.
The Samsung ‘Family Hub’ as a fridge
Security? Not their Problem
‘The “Internet of Things” holds great promise for enabling control of all of the gadgets that we use on a daily basis,’ Michael Osterman of Osterman Research told The Guardian. ‘It also holds great promise for cyber criminals who can use our homes’ routers, televisions, refrigerators and other Internet-connected devices to launch large and distributed attacks.’
To secure these devices, users would have to change passwords and other settings away from from their default settings, but how practical or likely is that? And the manufacturers don’t see it as their responsibility to build security into them. The automotive industry is a good example since today’s cars are stacked with IoT devices. Security analyst Sarb Sembhi makes the point that ‘vehicle manufacturers do not regard the security of components as part of their job.’
Security analyst Josh Corman makes the point ‘There is a big difference between the internet of things and other security issues … If my PC is hit by a cyber-attack, it is a nuisance; if my car is attacked, it could kill me.’ Hype or reality? Modern cars use microprocessors to control and monitor not just engines, but also traction control, suspension and steering systems.
Our Health under Threat
Medical devices such as pacemakers can be hijacked too, as Barnaby Jack of IOActive showed recently, ‘to deliver a deadly, 830-volt shock from someone on a laptop up to 50 feet away.’ The US Department of Homeland Security released an advisory to manufacturers and healthcare organizations warning of security vulnerabilities in the firmware of approximately 300 medical devices from around 40 vendors.
The medical appliances included surgical and anaesthesia devices, ventilators, drug infusion pumps, defibrillators, patient monitors and laboratory equipment. The vulnerabilities were caused by hard-coded default passwords in all 300 devices. Default passwords are the Achilles heel, because they’re easy work for hackers.
Too Close to Home
Hackers can grab the IP addresses of unsecured IoT devices, and use these to track down your residential address. They can sell that information to gangs of cyber criminals on the dark web. If you have IoT devices connected to your smart home security system, these could be cracked as well. At this point, hackers will likely know when your family is at home or at work or at school, so physical intrusion is made easier. You will be under surveillance, and you won’t know.
Computerworld cites a recent White House report on big data that discusses the capability of sensors and smart meters to ‘turn homes into fish tanks, completely transparent to marketers, police — and criminals.’ The report warns that a ‘sea of ubiquitous sensors, each of which has legitimate uses, make the notion of limiting information collection challenging, if not impossible.’
This goes for businesses as well. ‘As organizations use technology to move to an “always on” environment, users become part of the information infrastructure through the use of their personal mobile devices …’ warns Angela Orebaugh from Booz Allen Hamilton. ‘In essence, users become nodes on the IoT.’
‘We’ll probably see a whole new set of attack vectors,’ says Javvad Malik at 451 Research, ‘ranging from the CEO who was kidnapped because his fitness tracker told the attackers all of his movements and times for the last six months.’
What’s the Answer?
Clearly, you should be paying as much attention to securing your smart fridges, TVs and cars as you do your PCs, tablets and smart phones. The trouble is, you can’t install security software on all the microchips in your environment.
In large organisations, the threat is that of hackers gaining access to valuable or private information by hacking IoT devices. Jeffrey Tang, Senior Security Researcher at Cylance, provides a short list of actions to help secure business networks from vulnerabilities created by IoT devices.
At home, the best solution is to install a router or a Virtual Private Network (VPN). The router acts like a secure front door to everything behind it, and a VPN creates a closed system from any internet connection, including public ones where the risk of intrusion is high. A VPN has 2 advantages:
It keeps your Internet protocol (IP) address from being discovered by hackers
It creates secured, encrypted connections for all your communications on a wireless network