I'm scared about IoT Security. You should be too. N2K Blog

I’m scared about IoT Security. You should be too.

I’m scared about IoT Security. You should be too. 1200 628 N2K

G. Monsalvatge

On a summer vacation trip with my parents in a car with no air conditioning, we were heading home. I hoped that the house’s air conditioning would be turned down low so we could cool off after our trip. We did not have a smart thermostat then. Instead, I sweated to death, carrying the suitcases into the house. Now with smart devices, I can have a cool house, the lights can turn on or off when I am not there, and I can see if my cat is clawing up the sofa when I am not there via a remote camera. These cool devices are part of the Internet of things (IoT), which are physical devices that have software, sensors, or other technologies that can connect and exchange data with other systems or devices over the Internet. IoT makes my life a lot easier. By 2025, consumers worldwide will have 64 billion IoT devices. All those creature comforts that I wanted as a kid are coming true. The future looks great! However, IoT gives me nightmares because of all the IoT’s vulnerabilities and security risks. Are the Russians hacking my remote camera? Maybe the singer, Rockwell, was right in 1984 when he sang “Somebody’s Watching Me”?

IoT has several security issues, such as hacking, device manufacturers’ overconfidence, poor public perception, and privacy issues. News stories about hackers breaking into nanny cameras continue to scare consumers. Yet, sales are still high and IoT devices continue to be designed to be consumer-friendly but not designed with security in mind. Hackers do not have to spend a lot of time or resources to exploit the security holes in the current IoT devices on the market. Device manufacturers do not want to spend the money to make the products secure. While consumers may not feel protected against hackers with these devices, they still purchase them. It seems the burden of security falls on the consumer, not the manufacturer.

IoT devices generate data the more they are used. With all the IoT devices out there, many data points could be hacked. According to the Federal Trade Commission, 150 million data points can be generated by 10,000 households with IoT devices. Those data points could be easy prey for hackers trying to mine information such as what music you stream or what television or movies you stream.  

Hackers may not be the only one who is trying to mine information from you. Device manufacturers may want to mine your information for their own commercial purposes. Pay attention to your terms of service agreement. Your service agreement was written in “legalese” so that a person that did not pass the state bar exam does not understand what it says. Companies such as insurance providers may offer you a discount on health insurance if you wear a fitness tracker or a discount on your auto insurance if you keep a device in your car to track your driving habits. If you believe that a red light means stop, a green light means go, but that yellow light means go faster, you probably should not keep a device from the insurance company in your car.

There are several security issues that you need to be aware of in the IoT landscape. Device manufacturers will cut costs in the production of IoT devices, which means that they may use outdated hardware that could easily be hacked, old software that needs patching, use insecure data transfer and storage methods, and consumer-friendly, guessable passwords. These problems could potentially expose your login credentials for your email or possibly weaken another secure login method. For example, a fingerprint padlock on a smart device could be accessed with a Bluetooth key with the same MAC address as the padlock device. The MAC address, of course, could be fake.

IoT device manufacturers are caught trying to balance convenience and cost with security, and ultimately, consumers choose convenience and cost. Even if the manufacturers locked down IoT devices with the tightest security, users would find a way around it. Fortune 500 companies have implemented strict password policies, but that won’t stop Brandon in Accounts Payable from writing his password on a piece of paper taped to his keyboard. We all make fun of Brandon and use him as an example of a careless employee, but we are all vulnerable to phishing attacks and social engineering. These types of attacks can affect IoT security. 

Users often do not update the software or firmware of their device. Even if initially secure, any software or device may weaken over time because of technology changes or zero-day threats. Over time, the device will have vulnerabilities that were not accounted for when the device was produced. The burden of updating falls on the consumer. Most Americans do not put regular maintenance into their automobiles or their homes, so expecting them to put maintenance into upgrading a comparatively cheap device is unrealistic. In an ideal world, the updating and patching method for an IoT device would be automatic, but even that has its concerns.

Control of the billions of IoT devices out there means more to hackers than just stealing information. Hackers could, for instance, hijack the devices for their own ends and infect them with malware to create an army of devices that could place a Distributed Denial of Service (DDoS) attack on DNS servers, web servers, or any other critical servers. This same army of devices could be used to mine cryptocurrency, distributing the load over hundreds of small processors rather than one large one; IoT botnet miners could disrupt the crypto market with an attack that floods and disrupts the market.

Another mechanism to take control of an IoT device is through ransomware attacks. Hackers could infect the IoT devices with malware, seeking out elements or files on servers attached to the network to encrypt them. Hospitals, schools, and local governments have been increasingly attacked by ransomware in the past few years. They are easy targets because they do not have adequate support staff to secure their networks and, in some cases, are forced to pay the ransom. 

I lost some sleep over the fact that Vladimir Putin might change the temperature on my thermostat. Still, I lose a lot of sleep over the lack of security over IoT devices in corporate America and the United States infrastructure. 

In 2016, 70% of Washington DC’s surveillance cameras were infected with ransomware, affecting law enforcement’s ability to perform functions of their jobs. Without better security on IoT devices, more vigilant consumers, or legislation forcing tighter security on IoT devices, the future can be scary. Still, as more public incidents of IoT hacks and security failures become headlines, then security will become the priority.

 Stay Safe,

George Monsalvatge