In 2016, a photograph taken of Mark Zuckerberg revealed that he’d taped over the camera and microphone on his laptop.
It felt vaguely ironic that the man behind Facebook was so paranoid about his privacy, but it raised an important question for many about the safety of connected tech. As internet of things (IoT) keeps growing in penetration, lots of so-called smart devices have revealed themselves to be anything but when it comes to security.
As these devices create and collect more data, they become more attractive to hackers.
“Gartner found that nearly 20 percent of organisations observed at least one IoT-based attack in the past three years.”
With a total of 20.4 billion connected ‘things’ predicted to be in use by 2020, sometimes even the most innocuous products can offer a way in for people with nefarious intentions as we see below…
Beware of the fish
Many people who go to Vegas come back with far less money than they went with, but it’s not usually due to a cyber-attack, much less one that started in a fish tank. However, that’s exactly how an unnamed casino in Sin City was once infiltrated, when an aquarium thermometer used for remote monitoring and feeding was used to gain access to the network and a list of the casino’s highest-spending visitors was stolen. The hackers stole 10GB of data in total, sending it to a remote server in Finland.
When autopilot strikes back
With modern cars becoming more and more like computers on wheels that you can drive, you don’t necessarily need to be behind the wheel to be in charge of the vehicle. In 2015, a pair of friendly hackers demonstrated a vulnerability in an automaker’s connected vehicle platform, which powered the in-car systems for their leading brands. While a journalist from Wired magazine drove his car through downtown St. Louis, USA, the hackers sent commands through the entertainment system, taking control of the car’s air-conditioning, stereo and windscreen wipers, before finally cutting the power to the wheels and allowing the car to roll to a stop.
And the beat goes wrong
In August 2017 nearly half a million pacemakers were recalled when a vulnerability was discovered that could allow hackers to alter a patient’s heartbeat. None of the radio-controlled devices, which were made by a leading healthcare company and sold in the USA, were reported as compromised but the potential damage that could be caused was critical, and firmware updates were applied to devices that had been implanted in order to prevent the weakness being exploited.
Sometimes it’s not hackers you need to be wary of but the behaviour of IoT devices themselves. In 2018, cyber-security blog Limited Results took a hacksaw to a LIFX Mini White and discovered vulnerabilities with the smart bulb itself. Anyone with physical access to the product could extract the owner’s Wi-Fi password as it was stored in plaintext on the device, along with the RSA private key and root passwords. LIFX fixed the vulnerabilities with a firmware update but it raises important questions around the disposal of unwanted or defective smart devices.
Losing your voice
IoT products aimed at children will always raise extra concerns around security, especially when there are stories like the one involving CloudPets. The cuddly toys were removed from sale by retailers, including Amazon and eBay, after it was discovered that two million voice messages, which were recorded by children and uploaded via the toys’ accompanying smartphone app, were being stored in the cloud without any authentication required to access them. The database also included email addresses and passwords of parents who had bought the toys.
So what do these incidents tell us about the internet of things?
Firstly, it has opened up a vista of new exploit scenarios where attacks can come from anywhere.
“Products like these are susceptible because businesses often focus on the new feature set of the IoT device and the security aspect tends to be an after-thought.”
But with every new connected device, the threat landscape evolves that little bit more, meaning security tools need to be agile enough to cope at every point.
IoT devices are increasingly being used across diverse sectors including manufacturing and retail sectors and, as seen by the Vegas fish tank example, can be gateways to other parts of an enterprise’s network. Given that 80 per cent of the world’s data is kept on private servers and the punishments for breaching GDPR rules can be cripplingly severe, keeping hackers out has never been more crucial.
The fledgling nature of IoT is likely to make it an attractive target to hackers for the foreseeable future but emerging technologies can provide a potent defense in the fight against them. Implementing security analytics strategies based on Big Data can help identify anomalies in behaviour and usage across the vast populations of IoT that are getting launched, to pick on critical security incidents or misuse. Also, Blockchain, for example, can remove the need for a central authority in IoT networks, meaning devices in common groups can alert administrators if they’re asked to carry out an unusual task.
“Fundamentally, though, IoT should not be feared.”
With the correct safeguards in place it can deliver the improved processes, reduced costs and better-quality services it’s designed to provide.”
Read more about the importance of security in the digital age.