IoT Security – A Contradiction in Terms

A collage of various devices that not only can be hacked, but already have been.
A collage of various devices that not only can be hacked, but already have been.

The internet of things aka IoT has become the internet of hacks. More and more devices are being internet enabled. While this makes many aspects of our lives easier it opens us up to a wide range of cybersecurity problems. From direct control of devices to lost of personal private data to actual control of the networks and computers in our homes and offices, the IoT is creating a security risk at a faster rate than it’s fixing them.

Vendors are driven to get items to market fast in order to make money. Along the way security is given short shrift, or all-too-often not even considered. After all, it’s only a light bulb, what’s the worst that could happen? The answer of course is a lot, and probably much more than you think.

Compounding this problem is the fact that consumer simply don’t like doing sysadmin work and maintenance on their hardware. It’s difficult enough to convince people to update their computers and mobile devices. Worse than that are things like keeping routers up-to-date. Way down everyone’s list of things to do is monitor all the smart devices in the house for CVEs (known vulnerabilities) in the national vulnerability database. Hardware manufacturers have to take this into account and put even more care into the software security for software embedded in internet enabled things.

Just for giggles in a scary sort of way, here’s a brief partial list of a few devices that have known hacks available for them. If this doesn’t scare you then you’re not thinking about it enough. You should be running screaming to empty your bank account, buy an old pre-70s car, and smash your phones, thermostats, and other electronic devices.

airbags,
Fitbit health bracelet,
Baby monitors,
VOIP phones,
road signs,
printers,
cctv cameras,
pacemakers,
kettles,
ATM,
USB,
USB-C port,
gas station tank gauges,
cars,
Blu-Ray discs,
light bulbs,
smartwatches,
CD players,
electricity smart meters,
thermostats,
SD cards,
mag stripe readers

Again, this list is only a (very) small subset of things that not only CAN be hacked but already have been. I may have to create an IoT Hall-of-Shame for this stuff to see if we can get better security going.

The scary thing is that many of these aren’t just access to the device itself, or even data from the device (which is already a huge privacy issue) but are gateways to attack other pieces of your network. Read more about the lightbulb and blu-ray hacks above.

Now the answer to all this isn’t easy, but I’m hoping that at least you’ll spend more time thinking about it than you have.

[Update 2015-11-24 – added link to Hall-of-Shame]
FYI – I just finally created a new Hall-of-Shame for IoT – you can view it at the IoT Hall-of-Shame.

Resources:

[Update 2015-11-23 – added resources list]

Leave a Reply