We recently wrote about why the Internet of Things (IoT) may not be all the glitter and champagne it’s cracked up to be. To expand on that idea, it’s well worth looking at a number of smart devices that you may not want to connect to the web after all. At least not yet, anyway.
It’s no surprise that the IoT is loudly ringing alarm bells. The “matured” security of the 25-year-old Internet is a long-shot from being perfect. All we can expect from the baby-faced security in and around the IoT is something extremely rudimentary, accompanied with all the risk that entails.
Rather than cultivating an attitude of fear around the IoT, I hope to perpetuate more vigilance around this technology. A vigilance that leaves you prepared for the worst, but hopeful for the best.
This year at Black Hat USA, an unaltered passenger vehicle was remotely hacked. Once hacked, it was clear that the vehicle could quite easily be controlled (to a large extent) by those hackers.
You can see in the video above the extent that this code can be used to take control of your vehicle (predominantly late model Chryslers, with the UConnect feature. A patch has since been released).
The hackers first start off by innocently turning on the fans, radio, and wipers. Next, they cut the engine on a highway, take control of the steering (only while in reverse), and, most scary of all, disable the breaks.
Although vehicles have had complex computational systems within them for years, it’s only recently that we are starting to see them connected to the Internet. If the systems and networks within the car (Bluetooth, telematics, radio functions, etc.) are connected to each other, this largely widens the scope of what the hacker is able to do.
The fact that there is already such a high number of connected vehicles on the road today is what makes this development particularly worrying. Gratefully, however, the engineers who remotely “broke into” this vehicle did ethically warn the industry of the weaknesses they found. If a more nefarious engineer were to find these vulnerabilities, the consequences could be disastrous.
This September, Forbes reported on how “depressingly easy” it currently is to hack into a number of baby monitors from within a browser. This has been an issue for some time now, with the video above being over a year old. Yet the industry still fails to make the required updates.
Forbes explained that through “simple searches or tweaked web addresses”, a novice hacker could remotely access the Baby Monitor’s video feed, and could even talk to the baby. By using Brute Force attacks on IP addresses found on sites such as Shodan, receiving video and (sometimes) audio is said to be uncomfortably easy.
The results of the research conducted by security analysis company Rapid7 found seven devices that are vulnerable to to these weaknesses. These are: the iBaby M3S and M6 models, the Philips In.Sight B120/37, the Summer Infant Baby Zoom, the Lens Peek-a-View, TrendNet Wi-Fi Baby Cam and some Gynoii devices. Many other devices that the company did not test are also thought to be vulnerable.
These vulnerabilities are likely easy to fix. Only allowing whitelisted IP addresses to access the feed could be one potential solution. As would improving on “shoddy default passwords”. In the meantime, monitors already sold (likely) still remain open to attack. As reported in the article, “most vendors didn’t respond with confirmation of fixes”, though Philips did promise a security update.
Home IP Cameras
Home IP cameras are generally security cameras that you can control remotely from your smart phone. Security firm Tripwire states in a Sputnik News article that “these devices are usually hackable with ease providing you can interface with them. If they have a web interface, they can be hacked using web hacking techniques. If they have interfaces over serial ports — they can be penetrated and hacked at that layer too”.
The idea that someone could gaze into your home, and watch while you live your daily life may not be likely, but the possibility is nauseating. Along with this, if a potential intruder (whether this be into your home, office, or shop) wanted to make sure the coast is clear, all they have to do is check your IP Camera feed to ensure no one is around.
The same issues arise with web cams and smart TVs with connected (or in-built) cameras.
For anyone who routinely misplaces their keys, the idea of a smart-lock could come as something of a god-send. Being able to open and lock your doors from a mobile application sounds fine and dandy in theory, but in reality the security concerns are nothing to be ignored.
Back in 2013, Wired reported that millions of Kwikset smart locks were open to hacking. The Sesame smartlock purportedly has less-than-perfect security thanks to it’s “secret knock” Bluetooth feature. Hackers at Def Con hacked a smart-lock in front of a live audience.
But as pointed out in this Gizmodo article, if someone really wanted to break into your house, a crowbar or smashed window could do the trick. That would be a lot easier than hacking your smart lock. But if we’re relying on smart locks to secure offices, shops, server rooms, or even safes, we’re looking at a completely different picture, where immensely valuable information, stock, and equipment could be placed at risk.
During December of 2013 and January 2015, Cybernetics Security company Proofpoint claimed to to have discovered the first large scale Internet of Things cyber attack. In that attack, 750,000 phishing/spam emails were sent from fridges, TVs, media centers, and other connected home devices. This may be unfortunate for the recipients of those emails, but the point is more salient.
Yes, our connected devices can now be used to launch large scale attacks on us, and others. But on a more personal note, the lack of security built into devices, such as many Samsung fridges (see the video above), leaves us pretty vulnerable. Some of these fridges have been found to be sending your data over servers without verifying the SSL certificate. This means that the fridge doesn’t really know who it’s talking to.
If you’re asked to log-in to your Google or Amazon account on your fridge, for instance, your passwords could well be intercepted. Not only that, but it could be relatively easy for a hacker to install malware on your fridge, too. Principal Analyst at Osterman Research told Computing.co.uk, “few vendors are taking steps to protect against this threat; and the existing security model simply won’t work to solve the problem”.
There are Many Others
Above are just a few examples of IoT devices that we should maintain our vigilance around. There are many more. Your GPS connected running T-shirt could tell the wrong kind of people when you’re out of the house, for example. But a more likely risk is that of having even more of your sensitive data accessible via devices that simply aren’t well secured.
Despite the excitement of the Internet of Things (which is why many companies are jumping on the bandwagon, connecting the most ridiculous of devices), it’s a risk to jump in head first without first being conscious of the risks that are out there.
This selection of devices all pose at least some form of threat, that will (hopefully) in time be ironed out. In the meantime, let’s not fall for the hype. Let’s use the technology behind the Internet of Things for actual needs. When the security inevitably improves, perhaps then, and only then, should widespread adoption of these risky devices become mainstream.
Which other devices to you think pose a risk? And are these risks substantial enough to prevent you from jumping on board with these devices?