Probably the best £100 I’ve ever spent was on a Nest Protect. It’s awesome. In a nutshell, it’s a Wi-Fi enabled smoke and carbon dioxide detector. My “dumb” one worked just as well but this one has a number of key advantages.
Firstly, it lets me know when my batteries are running low. It also means that I can check on the safety of my home, from literally anywhere in the world. I could be on a beach in Bali, or at a conference in California. It really doesn’t matter.
I know it sounds a bit trivial, but I’m a dad. This kind of thing is important to me. But I also recognize that there’s another side to the convenient world of the Internet of Things (IoT), which is responsible for some serious security issues.
Attack of the toasters!
So, why is your internet-connected widget a security threat? Well, it comes down to design. The way we create “Internet of Things” and “smart home” appliances is fundamentally flawed.
As we saw with the Mirai botnet, many devices come poorly secured by default. This makes it an enticing target for attackers, and has led to people’s security cameras and alarms becoming spambots and botnets.
There’s also the issue of obsolescence. While you might only replace your smoke alarm once every twenty years, it’s unreasonable to expect a technology company to support a product for this long. It’s not out of the question for an attacker to identify a vulnerability in a popular, but long-abandoned smart home product.
Just imagine what the Windows XP of IoT will look like. It isn’t pretty.
But when devices aren’t being used to attack, it’s possible for the devices themselves to be attacked. As IoT devices from a particular manufacturer reach a critical mass they become enticing targets to hackers.
We have seen various attacks that target the computer systems found in modern cars.
There’s also the potential for ransomware to be placed on household items. Earlier this year Andrew Tierney and Ken Munro - two British security researchers with Pen Test Partners - demonstrated the first variant for a smart thermostat at the Def Con conference.
Imagine what it would be like if your home’s central heating was hijacked unless you paid an attacker one bitcoin. To incentivize you to pay up, the attacker might crank your heat up to 30º Celsius in the middle of summer, or turn it off entirely in the dead of winter.
Insecure IoT and smart home devices also present a troubling threat to our collective privacy, and make it easier for an attacker to collect intelligence about us.
Most devices provide at least two pieces of information - a status and a location. With these two bits of information, an attacker can infer many things about a potential target.
For example, knowing the location and status of a Loxone security system could tell a burglar if their mark is at home.
It’s ironic. The tools we depend on to prevent things like this happening could be the things that allow them to happen.
IoT could also change the way people are “doxed”. This used to be just addresses, passwords, phone numbers. But with Internet of Things, an entire new dimension could be added containing information about how we eat, sleep, live, and love.
This is truly scary stuff.
We live in an era where convenience and instant gratification are paramount. If we have to wait in line to order a burger at McDonalds, or to order a latte at Starbucks, we huff and moan, and head to Twitter to complain.
This has led to a flurry of innovation. There are now apps, appliances and devices that streamline our life.
But we judge them through one prism: do they make our lives more convenient? However, most of us don’t ask the important questions. How is this data stored? How is it transmitted? How much effort did the manufacturers and developers take to secure it? Quite often, the pressure to get products to market quickly means cutting corners on things like security.
It’s truly terrifying, but despite many high-profile incidents, IoT security is getting worse, not better. This trend shows no sign of abating.
Enterprises need to factor these risks into their assessments. Not only in how IoT devices are used within the enterprise, but how they can be used to attack the enterprise, and also how employee-owned smart-devices could compromise a business.
Securing these devices isn’t trivial, and certainly won’t be a quick process. Therefore, it’s in an enterprise’s best interest to carefully monitor IoT traffic and behaviour as well as utilising the latest in threat data to identify and respond to attacks leveraging IoT.