Here at IoTSF our mission is to unite the efforts of diverse IoT stakeholder groups to raise the bar on security.
That’s a truly noble and worthwhile cause – and it’s also a mighty tall challenge too. It’s such a huge task, that we can only meet our vision of safety of connection by working with many, and prioritising our efforts. We came across a blog post by Ben Dickson which neatly captures a number of the issues we see today in consumer/home IoT. Ben has kindly agreed to allow us to reproduce the piece below which originally appeared here.
No one will argue that the Internet of Things (IoT) is the buzzword in today’s internet-driven world. From connected light bulbs to smart fridges and coffee machines, the IoT phenomenon is promising to change our lives in ways that weren’t imaginable a few years back.
But in tandem with becoming smarter, our homes are also becoming less secure, and the billions of devices that are being added to our hyper-connected world every year are creating countless new possibilities and attack vectors for hackers with malicious intents.
As the IoT continues it chaotic growth, is becoming more critical than ever. Hacked baby monitors, cars that are shut down remotely, and televisions that spy on you are just some of the stories that might give you the creeps and make you lose your trust in your own dishwashing machine and other home appliances.
I had the chance to talk to some of the experts in the IoT security field, and here are a few warnings you should consider if you already own IoT devices at home, or are planning to buy a new connected appliance.
In their haste, IoT developers overlook security considerations
While IoT is going through its “gold rush” phase, manufacturers are more concerned about shipping feature-complete products, and in their haste to avoid losing the competition, they’re prone to neglecting security issues. In a survey carried out by security firm Auth0, 85 percent of polled developers admitted to being pressured to rush an application to market despite security concerns. According to developers surveyed by Auth0, “IoT devices are often pushed to market too quickly, forcing developers to cut corners.”
Therefore, hundreds and thousands of vulnerable devices have already been installed in consumers’ homes, with hundreds more entering the fray every day.
A blog post by security expert Graham Cluley states that more than 200,000 IoT devices suffer from the Heartbleed bug, one of the most serious security holes discovered in recent years.
In another research led by security consulting firm SEC shows, millions of IoT products were found to use shared SSH and HTTPS keys, which make Man-in-the-Middle attacks a breeze.
Patching and updating IoT devices involves too much trouble.
The second point to consider is the mechanism needed to patch, update or re-flash IoT firmware once it is found to have a vulnerability. Since many gadgets are sorely lacking in this domain, their owners are left to choose to either dispose of the product or to keep it and live with the fact that there’s a vulnerable gadget in their home that can be compromised by malicious hackers.
As Mika Majapuro, the director of business at security tech-firm F-Secure, told me, “there is no way to manually install security products on your IoT devices. How would you install anything on your toaster?”
There’s also the issue of managing all these connected devices. Majapuro further elaborated on the issue by pointing out, “Many of these devices have a long life-cycle. If you buy a connected fridge, you probably want to keep it for several years. How will you know when a software update for your fridge is available?” You’ll probably have to check its vendor’s site for update. But then you have many of these devices in your home. Majapuro added a twist by asking, “What if your fridge vendor stops supporting the model you have or the vendor goes bankrupt?”
IoT devices away your living habits
And by this, I mean more than those evil smart TVs that snoop on your watching habits and listen to your conversations. As a study by LGS Innovations points out, even when IoT devices encrypt their communications, hackers can monitor IoT network activity in your home to remotely figure out your daily habits, including the times you’re not at home (you know what happens after that).
And that does not account for individual devices being hacked. When I asked Dr. Paul Judge, co-founder of tech-startup Luma, about smart home security, he wrote, “IoT devices tend to hold your most personal information – like camera footage of your home, your health information, location and family info. If you do not address security for IoT devices, then every new device that you bring home has the potential to steal your identity and invade your privacy.”
IoT devices can enable intruders to access more sensible devices
IoT devices might not contain critical information per se, but they can allow hackers to access more critical information that can be found in your network.
Most devices are immune against intruders from outside your network, but they’ll likely trust a device that is in your local network. For instance a web server in your home network might not accept connections from outside, but will trust HTTP requests coming from within the home network.
As Majapuro told me, “Most hackers are not after your connected coffee maker. They are after your personal information, e.g. your banking information. Hackers might use your connected coffee maker as an entry point into your home network. Once in, they can try to get to you laptop and tablets and that way gain access to personal information e.g. banking and credit card information.”
Cybercriminals use vulnerable IoT devices to assemble their botnet armies
This might not directly affect your life, but it is a serious issue nonetheless. In case you didn’t know, one of the most famous types of cyber-attacks are Distributed Denial or Service (DDoS) attacks, in which hackers hijack a large number of devices called botnets, and use them to send countless requests to target servers in order to overload them and bring them down.
In days of yore (I mean ten years ago, maybe), such a feat could only be accomplished by compromising personal computers, which was a challenging task given that most users tend to install some sort of anti-virus or malware protection software on their PCs. But with a host of vulnerable IoT devices at their disposal (which have no means to protect themselves), hackers no longer need to go after desktop workstations and laptops.
Without knowing it, your smart fridge or connected light bulb can become a slave (or a willing member) of a dark botnet army, doing the bidding of some evil hacker who wants to ransom an unfortunate victim.
Conclusion
Ok, the threats involved in the IoT industry are freakishly scary, but the goal of this post wasn’t to convince you to change your mind and stick to the same dumb, decades-old appliances you owned before, you’re wrong. In fact, as the , I’m always on the lookout for new gadgets and cutting edge technology, and I have quite a few smart things at home and I see great potential in the future of IoT. And the tech community is already taking great strides to make sure more secure and are used for the purposes they were made.
The point is, you need to assess the risks, identify the weaknesses, and plug the holes that cybercriminals might use to turn your dream home into a nightmare.
Thank you Ben.
Readers might be interested to learn that IoTSF has prioritised the connected consumer domain of IoT for initial work. In particular:
- WG2 – Best practice and guidelines for Connect Consumer products and devices.
- WG3 – Patching constrained devices.
- WG1 – Self-certification for technology suppliers.
You can see our current working groups here.