Dismissing IoT device threats in the “internet of everything” world is easy. But privacy and personal data loss isn’t science fiction, so don’t fall victim.
I confess, I am drawn to any device that promises to make my life easier. My first experience with what we now call the Internet of Things (IoT) was a few years ago, when I bought a number of internet-connected lightbulbs. The feeling I had turning on my bedroom lights with just a tap on my phone was nothing less than sheer joy. I was hooked.
Over time, I introduced more connected devices into my home. My thermostat now automatically adjusts the heating or cooling based on the outside temperature. I can summon any song just by speaking into the Wi-Fi speaker in my kitchen.
In short, I feel like I’m living in the house of the future, today! These connected devices have made my life, and many people’s lives, easier (and, let’s face it, cooler).
But nothing comes without a price. So how much are we paying for all this convenience? Is it too much? And how much are we willing to pay?
Most of us, even a tech-geek like me, dread having to update our computers and phones. What we often forget, or don’t realize, is that most software updates aren’t an inconvenience – they’re meant to help us. Updates fix bugs in the software, including important security holes, to protect our devices and our information. Despite the inconvenience, regular updates aren’t just good, they’re vital. Think of them as booster shots, developed to combat a constantly evolving array of potential threats created by unscrupulous people who are very motivated to “cyber” profit from others’ lack of diligence.
But in a world of connected everything, how easy – or available – will these necessary updates be when they’re for toasters, or refrigerators? If my future dream refrigerator will know when I’m low on milk, apples, and mustard, then order them for me, using the credit card in its memory, will its manufacturer and engineers be diligent about ensuring hackers can’t simply reverse engineer the software, find bugs, and exploit them? Will they have that level of security expertise, and the resources to stay ahead of vulnerabilities that could expose my personal information to thieves?
We could soon be living in homes that constantly collect knowledge about everything we do – what we watch, what we eat, when we sleep, how long we’re at home, what we talk about.
Precisely because connected device manufacturers know they cannot provide this level of security, they tend to downplay the range of possible privacy risks. We’ve all gotten a good laugh at the idea of a “microwave spy,” and to be fair, this particular type of appliance is (at least for now) rare. But really, what dangers could, say, a connected printer and a connected refrigerator pose to each other, or their owner?
Quite a few, as it turns out. And not minor ones.
Last fall, malware known as “Mirai” compromised IoT devices, such as microwaves and house lights whose factory default usernames and passwords were still stored in their memories. Unlike with most computers, these embedded details are at worst permanently hard-coded into the devices and at best not easily changed. Once it had infected the devices, the Mirai malware instructed them to send a Distributed Denial of Service (DDoS) attack against the internet, causing many websites to be unavailable. In short, the malware exposed device data and used it to remotely control them, right under their owners’ noses.
As if having your “internet of everything” devices turned into malicious cyber robots isn’t bad enough, you’d be utterly amazed to discover the extent of your personal life and information hackers can get their hands on through security monitors, music systems, and document storage devices.
All this convenience doesn’t come for free. Vulnerable devices open the door to hackers who want to steal the data from our devices and sell it to the highest bidder.
Avast’s own researchers have found vulnerabilities that can be exploited to give unauthorised access to baby monitors. As a quick Google search on “strangers talking through baby monitors” shows, security incidents involving these devices, in which strangers were able to connect directly with children, are far from rare. Considering these monitors were designed to give parents peace of mind, their manipulation for such horrifying ends, if they aren’t secured properly, is particularly ironic.
As more IoT devices enter the market and our homes, cars, offices, we become more vulnerable to attack. The more connected devices out there, the more possible attack vectors for intruders and thieves. We could soon be living in homes that constantly collect knowledge about everything we do – what we watch, what we eat, when we sleep, how long we’re at home, what we talk about.
All this convenience doesn’t come for free. Vulnerable devices open the door to hackers who want to steal the data from our devices and sell it to the highest bidder. They increase the likelihood that hackers could take over our cameras, garage door openers, alarm systems – anything “smart.” Or how about ransomware? We’ve all heard how it can infect computers. Now imagine it can be used to “lock” access to every appliance or system in your home, unless you pay the ransom. What recently seemed like science fiction isn’t so far-fetched, anymore.
While all these possibilities can be overwhelming, and threats – as will devices – will continue to evolve, you can minimize potential dangers while still enjoying the benefits of connected devices. Just follow these few simple steps:
Connected devices can be convenient, not to mention just plain cool. But before buying or connecting one, consider the implications of how they connect to the internet, how (and whether) their software is kept updated, and what happens if the vendor stops supporting the product. Don’t let your next dream convenience turn into a nightmare.
Image: Pablo Charnas
Read what Avast CEO Ondrej Vlcek believes can be a “big picture” solution for Internet of Things security vulnerability.
Find out what you need to know about the leak of a half-million security credentials for routers and Internet of Things devices.