Internet of Fail: How modern devices expose our lives
Should you sync your family’s calendar to your refrigerator or have it display photos? Samsung believes you should. They also think you need cameras that display the food inside, to help during shopping. Sure, these features can make life easier, but how would you feel about someone accessing this information? What could a stranger do if he knew you’re out of the house tomorrow night?
I’m not saying this particular refrigerator is insecure, but do you have any assurances it’s secure? How do you know the data it uses is safe from prying eyes?
Internet of Fail
During the past few years we’ve seen examples of all sorts of IoT devices exhibiting glitches, getting hacked, manipulated, and the information they hold exfiltrated:
- At Black Hat USA 2015, security researchers Runa Sandvik and Michael Auger demonstrated how they hacked a Linux-powered rifle made by Texas-based company TrackingPoint. They found vulnerabilities that can be exploited to make users hit targets they didn’t intend to.
- Earlier this year, SF Globe reported on a deeply disturbing hack: someone accessed a Washington’s family Foscam baby monitor and talked to their child at night.
- In January, Alphabet-owned smart homeware company Nest has asked users to reset their connected thermostats after a software bug drained its battery and sent homes into a chill in the middle of the night.
- A vulnerability in the mobile app used to interact with the Nissan LEAF electric can be exploited by remote, unauthenticated attackers to switch the car’s AC and heating system on and off, but also to extract details about the owner’s journeys, security researcher Troy Hunt has demonstrated. This is not a one-off, there have been many issues with vehicles, and even the FBI says that car hacking is a real risk.
- Last week, researchers have managed to exploit design flaws in the Samsung SmartThings smart home programming platform and successfully mount a series of attacks that could result in smart homes being entered, burglarized, and generally made insecure by attackers via malicious apps.
And, are you ready for the really bad news? The examples outlined above are just the tip of the iceberg. Thousands of devices are being connected to the Internet, and there is no set of rules or regulations that would force manufacturers to make them secure. I believe we still haven’t seen all the real dangers that the Internet of Things will bring.
The privacy paradox
The Snowden revelations have propelled privacy concerns into the mainstream. People are blocking their computer webcams by putting things over the lens, but at the same time they’re wearing smart watches that track their movements, they’re using Smart TVs that monitor their viewing habits, and they’re buying all sorts of appliances that connect to the Internet insecurely.
“There are two reasons people are selective about privacy. They are unaware of the big picture or they have no alternative. Many don’t realize that they bought a TV that tracks them, all they want is the latest TV. In many cases buyers would probably prefer a more privacy-friendly option, but that option is often hard to find, if available at all,” according to Jaap-Henk Hoepman, Scientific Director, Privacy & Identity Lab, Radboud University Nijmegen.
“As with most consumer electronics devices, cyber security is an afterthought that will be integrated into the product in version 5 if we are lucky. When faced with a looming deadline like the holiday shopping season, given a choice between shipping a product or securing it, manufacturers will choose to ship every time,” Bob Baxley, Chief Engineer at Bastille, told Help Net Security.
“The big risk is not that a criminal will be able to break into your house through your smart lock, but that the smart lock will provide the attacker access to your network and online credentials. Why would a sophisticated criminal steal a $500 TV, when he could instead raid your bank account through your Internet connection?” he added.
You could argue that a random user is not important enough to be the focus of someone interested in exploiting careless IT security hygiene. “It is a huge inconvenience to forego the latest and greatest technology innovation only to prevent a low-probability (but high consequence) cyber attack,” Baxley explains the manufacturers’ point of view.
That being said, if you knew that there was a probability, no matter how small, that because your baby monitor was not secure enough, someone could see and talk to your child at night, would you buy it anyway? And if you would, what is the thing that would make you go back on that decision – where do you draw the line when it comes to convenience vs security?
IoT expansion
Without a doubt, IoT is now mainstream. In fact, IoT use is growing rapidly across almost every industry. One of the things that makes IoT so disruptive is that its impact isn’t restricted to a single sector or function. From consumer devices to jet engines, logistics to product development, healthcare to municipal planning, enterprise IoT is having a huge impact, according to the “State of the Market: Internet of Things 2016” report by Verizon Enterprise.
Enterprises are susceptible to attack through the IoT infrastructure they have in their environments. According to Baxley, this is scary for two reasons:
1. Enterprises don’t even know what IoT devices are in their environment because these devices tend to communicate using off-network wireless protocols.
2. Enterprises keep more sensitive information than an individual does.
“Enterprise threats look very similar to the home IoT threats but are much more frightening given their scale,” he notes. “For example, a facilities group installs an industrial control system that, unbeknownst to the IT security department, has an open Zigbee network enabled and accepting connections. Or, they install wireless keyboards using an insecure non-standardized 2.4GHz protocol to send key presses to all the computers in a corporate environment.”
All of these attacks are predicated on the idea that you can’t see the wireless IoT networks. “Unlike the one or two pipes to the Internet through which all corporate wired traffic flows, there is no perimeter around the RF space. While an enterprise’s wired network looks like a thick-walled house with a single well-guarded door, your RF space is more like a screen porch with millions of holes,” he explains.
There is some potential good news. According to Gartner, worldwide IoT security spending will reach $348 million in 2016, a 23.7 percent increase from 2015. Furthermore, spending on IoT security is expected to reach $547 million in 2018.
We can only hope that this leads to more security-conscious product development, and voice our preference for products that have been proven to be secure.