Hacked by Your Fridge: Why the Internet of Things will Cause Havoc in 2017
As business use of internet-connected devices catches up with consumer usage, we’re now on the cusp of an Internet of Things revolution. The first Internet-connected toaster was unveiled back in 1989 and experts now predict that there will be 50 billion ‘smart objects’ by 2020.
The Internet of Things includes more than just expensive appliances. The technology scales up to include smart cities – think rubbish bins that signal when they need to be emptied, or the elimination of traffic jams through connected roads.
Benefits of internet-connected devices include better data, automation, and increased efficiency. But there’s a darker side to the Internet of Things – it’s hugely vulnerable to exploitation by hackers.
Security is Extremely Weak
For consumers, interconnected devices, like smart fridges, represent the bleeding edge of modern products. But every new technology has a downside and IoT is no different. Many may not realise that the security of their IoT devices is often outdated and plagued by vulnerabilities.
Should you care if your internet-enabled fridge is hacked? In short: yes. IoT devices collect masses of personal data. For example, your smart heating system knows what electronic devices you use, when you’re home and when you’re out of the house.
Expose your personal data to malicious hackers and it could be used against you, or sold on the black market.
And it gets worse. Hackers have already learnt how to manipulate IoT devices, turning them against their owners and using them to barrage web servers.
‘The challenge we face is that many of [these products] are not designed with security in mind.
‘Many users do not realise that they are essentially deploying a tiny web-enabled server in their home that could potentially be subverted to cause harm’ says Terence Greer-King, director of cyber security at Cisco.
Devices — like internet-enabled DVRs and fridges — with hardcoded default passwords are often neglected in terms of cyber security. These products are easy prey for cyber criminals, like those responsible for the Mirai botnet.
In 2016, a vast army of hijacked IoT devices broke a huge chunk of the web. Unknown to their owners, these devices launched junk traffic at servers operated by Dyn, a company that provides DNS services for websites across the world.
The Mirai botnet, consisting of 100,000 IoT devices, took down major websites like Reddit, Netflix and Twitter in a DDoS (direct-denial-of-services) attack.
One month later businesses were found unprepared when the Mirai botnet struck again. This time the attack affected 100,000s of TalkTalk and Post Office broadband customers.
The Mirai botnet affected a relatively small number of IoT devices. But with an estimated 5m unsecured devices up for grabs, it doesn’t take a mathematician to see that this is a disaster waiting to happen.
Worryingly, the poor state of IoT security is unlikely to improve in the short term and similar attacks are inevitable.
IoT Adoption is a Unique Security Challenge
IoT security hinges on scalability. For devices to be secure, their security technology must scale. While it was once typical for large enterprises to manage 50,000 endpoints, this number has already skyrocketed into the 100,000s and millions. This is increasingly hard for enterprises to manage.
The opportunity is all too obvious for cyber criminals. Millions of weakly secured IoT devices — many running default security passwords — can be easily breached using basic brute force techniques.
Compromised devices could then leak your personal data or join botnets used to carry out chaotic DDoS attacks. It’s also very unlikely you’ll even realise your device is compromised.
Even if devices are secure, the lack of recognised IoT standards reduces interoperability and functionality. There are masses of IoT frameworks and this means gaps in security if devices want to communicate effectively.
Security Struggles to Remain Updated
Automatic security updates to our computers help keep us safe in the face of evolving cyber threats.
But for manufactures pressured to produce devices quickly and cheaply, cyber security is a low priority. Even if companies do offer regular firmware upgrades to patch security flaws, focus on firmware updates is lost when new hardware is introduced.
This leaves consumers with outdated hardware that could become a security risk – ‘These companies sometimes have the intention of fixing a vulnerability like that through a firmware upgrade, but then never get around to it because they don’t want to disrupt the user base’ says one cyber security researcher at Tripwire.
What’s more, some consumers simply won’t update their devices manually. With a lack of automatic updates on IoT devices, consumers are even less likely to keep their firmware up-to-date, especially if they can’t be controlled from a single computer.
Is There Light at the End of the IoT Tunnel?
The Mirai botnet attacks are a quiet precursor to a potentially massive DDoS disaster. What if the Mirai botnet targeted critical infrastructure, or connected hospital equipment supporting vulnerable patients? As more IoT devices hit the market, the potential size of these botnets will increase.
However, there’s some light at the end of the tunnel. CES 2017 — a good indicator for new tech trends — featured a heavy focus on IoT security. The good news is that companies are now creating cyber security defences to prevent another Mirai-style attack.
Products like Symantec’s Norton Core provides a way for consumers to maintain their network and view threats which the router has blocked (although you’ll need to pay a subscription).
Alternatively, Bullguard’s Dojo looks like a pebble but acts like a firewall that provides network behaviour anomaly detection for consumers.
These products, alongside a slew of others, show that businesses are starting to take note of the massive threat posed by unsecured IoT devices. The DDoS Mirai attack shocked businesses, and might just have woken them up to the vulnerability of their interconnected devices.
Cyber security spending is on the up globally with a predicted $1 trillion spent annually by 2021. As well as investing in qualified IT professionals with recognised certifications, like ISC2’s CISSP, businesses must also dedicate resources to ensuring the security of their connected products.
It’s ultimately the responsibility of manufacturers to produce secure devices and update them regularly, but it will be a long battle. Cheap but vulnerable internet-enabled devices, from Chinese companies like XiongMai Technologies, are likely to flood the market unless regulations are introduced – and enforced.
Until there is a standards crackdown, and vulnerable devices are taken offline, these attacks will continue in 2017.