Your home may be smart, but is it secure?
No one will argue that the Internet of Things (IoT) is the buzzword in today’s internet driven world. From connected light bulbs to smart fridges and coffee machines, the IoT phenomenon is promising to change our lives in ways that weren’t imaginable a few years back.
However, in tandem with becoming smarter, our homes are also becoming less secure, and the billions of devices that are being added to our hyper-connected world every year are creating countless new possibilities and attack vectors for hackers with malicious intents.
As the IoT continues its chaotic growth, security is becoming more critical than ever. Hacked baby monitors, cars that are shut down remotely and televisions that spy on you are just some of the stories that might give you the creeps and make you lose your trust in your own dishwashing machine and other home appliances.
Here are a few warnings from IoT industry experts that should be considered if you already own IoT devices at home, or are planning to buy a new connected appliance.
In their haste, IoT developers overlook security considerations
While IoT is going through its ‘gold rush’ phase, manufacturers are more concerned about shipping feature complete products, and in their haste to avoid losing the competition, they’re prone to neglecting security issues. In a survey carried out by security firm Auth0, 85% of polled developers admitted to being pressured to rush an application to market despite security concerns. According to developers surveyed by Auth0, “IoT devices are often pushed to market too quickly, forcing developers to cut corners.”
Therefore, hundreds and thousands of vulnerable devices have already been installed in consumers’ homes, with hundreds more entering the fray every day.
A blog post by security expert Graham Cluley states that more than 200,000 IoT devices suffer from the Heartbleed bug, one of the most serious security holes discovered in recent years.
As other research led by security consulting firm SEC shows, millions of IoT products were found to use shared SSH and HTTPS keys, which make Man-in-the-Middle attacks much easier to inflict.
Patching and updating IoT devices involves too much trouble
The second point to consider is the mechanism needed to patch, update or re-flash IoT firmware once it is found to have a vulnerability. Since many gadgets are sorely lacking in this domain, their owners are left to choose to either dispose of the product or to keep it and live with the fact that there’s a vulnerable gadget in their home that can be compromised by malicious hackers.
As Mika Majapuro, the Director of Business at security tech-firm F-Secure, said: “There is no way to manually install security products on your IoT devices. How would you install anything on your toaster?”
There’s also the issue of managing all these connected devices. Majapuro further elaborated on the issue by pointing out: “Many of these devices have a long lifecycle. If you buy a connected fridge, you probably want to keep it for several years. How will you know when a software update for your fridge is available?” You’ll probably have to check its vendor’s site for update. But then you have many of these devices in your home. Majapuro added a twist by asking, “What if your fridge vendor stops supporting the model you have or the vendor goes bankrupt?”
IoT devices give away your living habits
This means more than those evil smart TVs that snoop on your watching habits and listen to your conversations. As a study by LGS Innovations points out, even when IoT devices encrypt their communications, hackers can monitor IoT network activity in your home to remotely figure out your daily habits, including the times you’re not at home (you know what happens after that).
And that does not account for individual devices being hacked. When Dr. Paul Judge, co-founder of tech-startup Luma, was asked about smart home security, he commented: “IoT devices tend to hold your most personal information – like camera footage of your home, your health information, location and family info. If you do not address security for IoT devices, then every new device that you bring home has the potential to steal your identity and invade your privacy.”
IoT devices can enable intruders to access more sensible devices
IoT devices might not contain critical information per se, but they can allow hackers to access more critical information that can be found in your network.
Most devices are immune against intruders from outside your network, but they’ll likely trust a device that is in your local network. For instance a web server in your home network might not accept connections from outside, but will trust HTTP requests coming from within the home network.
Majapuro said: “Most hackers are not after your connected coffee maker. They are after your personal information, e.g. your banking information. Hackers might use your connected coffee maker as an entry point into your home network. Once in, they can try to get to you laptop and tablets and that way gain access to personal information e.g. banking and credit card information.”
Cybercriminals use vulnerable IoT devices to assemble their botnet armies
This might not directly affect your life, but it is a serious issue nonetheless. One of the most famous types of cyber attacks are Distributed Denial or Service (DDoS) attacks, in which hackers hijack a large number of devices called botnets, and use them to send countless requests to target servers in order to overload them and bring them down.
In previous years such a feat could only be accomplished by compromising personal computers, which was a challenging task given that most users tend to install some sort of anti-virus or malware protection software on their PCs. However, with a host of vulnerable IoT devices at their disposal (which have no means to protect themselves), hackers no longer need to go after desktop workstations and laptops.
Without knowing it, your smart fridge or connected light bulb can become a slave (or a willing member) of a dark botnet army, doing the bidding of some evil hacker who wants to ransom an unfortunate victim.
The threats involved in the IoT industry are freakishly scary, but the goal of this article isn’t to convince you to change your mind and stick to the same, decades-old appliances you owned before. The tech community is already taking great strides to make sure more secure devices are used for the purposes they were made. F-Secure in particular will soon be shipping the SENSE box, which will be addressing the very issues raised in here.
The point is, you need to assess the risks, identify the weaknesses and plug the holes that cyber criminals might use to turn your dream home into a nightmare.