For many people, the Internet of Things (or IoT) is an exciting prospect, and over the next few days we are sure to see a large number of new products at the Consumer Electronics Show, Las Vegas, designed with always being connected in mind. Indeed, Gartner are expecting 6.4 billion connected devices will be used by consumers in 2016 and the range includes products from connected coffee machines, thermostats, baby monitors, to smartphones, connected cars and tablets. The technology that can connect all of these disparate devices is interesting, exciting and is likely to change the world forever. It will simplify and streamline many of the daily chores that we take for granted, reducing our energy and resource consumption. For example, our connected refrigerator could advise our car that we need to buy milk on the way home, so the car will plan an optimized route avoiding traffic slowdowns to the store. Once we arrive, the store has the right milk ready for collection. The car will also feed back to the home smart thermostat that it can delay putting the heating system on until we are on our way home.
However, what if these interconnected devices were compromised in one or more respects? What if a criminal could obtain access to our network of devices? In the case outlined above, the effects of the store providing the wrong milk, or the heating coming on too late might not be so disastrous. However, let’s consider the breadth and depth of systems that could be connected into the Internet of Things infrastructure: it could include anything from office lighting equipment, connected coffee machines to traffic lights and security cameras. Obtaining control of office lighting and coffee making would allow the hacker to disable the lights (as turning them on and off ten times a second overnight would cause the units to fail) and flood the office (as running the machine all night would do this).
Surely, finding these interconnected systems would require specialist knowledge? As it happens, no it doesn’t: the website shodan.io contains a massive number of IoT devices and is described by Aamir Lakhani, security researcher at online security business Fortinet, as “the search engine for the Internet of Things.” Worse, where people have not changed the default security passwords – cunningly set as “admin” for both the username and password – it is easy for anybody to at least view the information that the device is showing. For a would-be burglar, seeing when a house is unoccupied could be just the information that he or she needs. The reason for this security weakness is because device manufacturers wish to make their products easy to use, but there are significant security compromises associated with this. At the very least, customers should change default access passwords and manufacturers should be taken to task to help with this. However, as we’ve seen, many people are amazingly blase about their electronics’ security.
Another potential threat comes from the “land and expand” risk – that is, using a relatively simple connected device as a trojan to attack a more sophisticated target. Fortinet’s security researcher, Axelle Apvrille, released research in October 2015 that suggested she was able to infect a Fitbit fitness tracker with malicious code that could later be transferred onto a computer via the device’s Bluetooth radio. Although Fitbit disagree, and stated that their own researcher was unable to complete an attack using one of their products, this type of attack remains a weakness. The issue here is that a trusted component, already able to connect and handshake with our equipment but too simple in its own right to do much of anything, could be used to pass on an attack. Suddenly, we wish for our smart refrigerator to be hardened against hack attacks from reading the barcodes or NFC tags of newly bought shopping.
At the moment, there are no known threats: we’ve seen no stories of an infected payload carried by a milk carton into a smart fridge yet, but this does not mean that consumers and the industry should ignore the issue. Along with the promise of a more efficient transport system, cheaper heating and cooling bills for our home, improved security and healthier lives, we should all take the security aspect of the Internet of Things very seriously.