“Okay.” He paused as turbulence sent the plane suddenly rising and falling like a rollercoaster. “How long have you had your refrigerator? 10 years, 20 years, God knows.” He answered his own rhetorical question.
“Now imagine this. Imagine you had a computer for 10 years, 20 years and you never updated it. Maybe never had any virus software, but if you did you definitely didn’t update it. That computer would be a spam-bot.” He paused again. “Now you would never do that with a computer, but with an IoT refrigerator that’s going to happen. Before you know it your five-year old internet-connected refrigerator is going to have twenty invisible ninjas in it watching you. Twenty invisible ninjas that you will never, ever, know about.”
This is Peter Schmitt – MIT computer science graduate and serial tech entrepreneur. We sat next to each other on a plane from Boston to LA, and my millennial mind steered our conversation towards the internet of things, the buzz-word of the year.
Without losing a breath he said, “Now, that is going to be a disaster.”
The next half hour was consumed with the past and future horror stories that have and could result from the rise of the IoT.
Where I was in awe of the potential of the IoT, Schmitt, the technologist, was terrified of its dangers.
The IoT is going to cause untold security issues. The only solution is to NOT put smarts into things that don’t need them. But market forces and human nature, I think, will sadly dictate otherwise.
Schmitt might just be right.
The problem
The power of the IoT is that it senses, collects and connects vast amounts of data from our daily lives to actionable ways of improving our lives. However, you might be surprised just how much information your devices are capturing. Once that data is collected it is at risk of being hacked.
Imagine what your internet-connected car knows about you. When you leave your house, where you go in your on and off hours, who your passengers are, where you drive your kids on the weekend, and much more.
How about your IoT television? Did you know that you’re not just watching it, but that it’s watching you too?
Or your new internet-connected baby monitor? Are you okay with your newborn’s private moments being live streamed on shodan.com?
Yet these doors into our private lives might not be the most dangerous doors that the IoT will open. The IoT will also create doors into our physical lives.
In the world of the Internet of Everything, where Schmitt and most industry experts agree we are heading, our actual doors will be connected to the internet – what’s to stop a savvy hacker from detecting when you unlock and lock your door to leave the house and then remotely unlocking it?
WIRED hackers recently demonstrated that they could remotely kill a Jeep on the highway, and researchers hacked a Tesla Model S, enabling them to hot-wire the $100,000 car remotely.
The IoT is even keeping the NSA and FBI up late at night, because it offers unprecedented access to our most important infrastructure.
In short, when your life is internet-connected unless that connection is secure your life is also internet accessible.
Why the Internet of Things is so insecure
For a long time many engineers assumed that embedded devices were not targets for hackers, but those assumptions are rapidly changing.
The IoT has clearly become a point of risk after a spate of successful attacks – including the largest data hack in US retail history, a theft of 40 million credit card numbers from Target. The theft was accomplished through an internet-connected HVAC system.
The problem is that IoT technology is relatively new and, as a result, standards and regulation – read Sanjay Sarma’s article for more information on the need for regulation and standards – haven’t caught up to innovation. This increases the chance that new Internet of Things devices are being built with a greater number of vulnerabilities.
Devices are then mass produced with the same vulnerabilities, enabling hackers who exploit one device to replicate that attack across all devices.
Even if out of the box your IoT device is relatively secure, from there it is likely going to get less secure by the moment. Embedded systems are bound to be chronically unpatched – running old, vulnerable software. The reasons for this are three fold:
- It costs manufacturers money to distribute updates with no offsetting revenue because IoT devices are often point of purchase rather than subscription based;
- As technology marches on new device versions of early technologies tend to proliferate. This is no different with IoT devices. Yet, IoT devices often have very long life cycles – 10 to 15 to even 20 years. Think of an IoT refrigerator or car. This makes supporting the many related hardware versions increasingly difficult over time, and eventually effectively impossible as parts are phased out by hardware manufacturers.
- And it costs owners of devices effort, time, and money to update them – for no visible benefit to themselves – so often they don’t.
Therefore the vast majority of IoT devices eventually go unpatched, and, as a result, eventually will serve as hosts for malware or as Peter Schmitt called them: invisible ninjas.
This means invisible ninjas in your car, invisible ninjas in your fridge, invisible ninjas in your TV, invisible ninjas in your home security system, and really invisible ninjas everywhere that we have attached the label “smart” – all networked together.
How to protect yourself
So should you throw out all of your new Internet of Things devices and give up on using great new technology to improve your life?
Despite the high level of risk the potential usefulness of the IoT is just as high. Instead of throwing out or giving up on our IoT devices, we need to become smart power users and buyers.
So while we wait for regulation and standards in the industry to catch up to the technology, below are five easy tips on how to keep your IoT devices – and as a result your privacy and safety – as secure as possible:
- Buy smart: By buying the right product you can set yourself up for security before even turning your device on for the first time. Do your research. Buy from reputable companies. If you have the time dig deeper and find out what their IoT device is talking to – a server, apps, the company. What information is being stored on those remote servers? These are all potential additional sources of vulnerability – the more widely your data is being shared and stored, the greater the attack surface for potential hackers. Last and possibly most important, find out what the company policy is for updates – if they don’t provide updates, consider avoiding their product and choosing a different one that will be more secure for the long term.
- Change your password: This one’s easy. Don’t keep the factory password on your device. This is how a lot of devices are compromised.
- Find out your device’s vulnerabilities: Do a google search and find out how to protect yourself. There are other savvy users out there who have found out – sometimes the hard way – what potential vulnerabilities there are within your product. Take advantage of their pain to protect yourself.
- Update, update, update: The surest way to protect your device is to make sure you are updating your device as frequently as possible. Set a regular calendar reminder to check your device and the manufacturer’s website for new updates that might be available.
- Protect your home network: The flaw in Target’s security system that led to the loss of 40 million credit card numbers was that its embedded internet-connected air conditioning system was networked along with their payment system network. Once hackers were able to access the company that provided the HVAC system, they could also access Target’s payment system. Make sure that you are securing your home and business networks against your IoT networks. In your home most routers have the option to set up multiple network SSIDs. Set up one network for your computing devices. Set up a different SSID for all of your smart devices and then one more for all of your mobile devices. This way, even if one of your devices is hijacked or injected, the attacker is limited to that single network.
Image credit: Shutterstock
Get the TNW newsletter
Get the most important tech news in your inbox each week.