Yes, Hackable Dolls and Insecure Fridges Really Are a Thing
The premise of Bruce Schneier’s new book, Click Here to Kill Everybody, is that “the internet is powerful, but it is not safe. As ‘smart’ devices proliferate, the risks will get worse, unless we act now.” I couldn't agree more.
If you’ve seen Maximum Overdrive, Stephen King’s 1986 horror movie in which the world’s home appliances rise up and start attacking their owners, you’ll have a good idea of the kind of climate in which the Internet of Things (IoT) hacks are often talked about. Admittedly, the hacks detailed below are much more mundane, but if IoT security issues are not dealt with soon, King’s movie may not be so absurd after all.
There are serious security flaws that permeate the build process for IoT devices -- security cameras to pacemakers, cars, home security devices and yes, potentially even your net-enabled fridge. However, as far as how those flaws can be exploited, it’s still relatively early to say. To date, the objective of IoT hacks appear to be either experimentation or the same as with any other kind of targeted hacking -- to steal or otherwise manipulate data for financial gain or malicious intent. Here are some notable examples:
In 2016, the IoT-driven Mirai virus perpetrated some of the largest DDoS attacks ever seen. A DDoS attack pointed at U.S.-based DNS provider Dyn, Mirai took down large parts of the internet, including Netflix and Amazon, and in a different attack, the country of Liberia, with an army of enslaved IP cameras, printers and baby monitors.
Ransomware attacks on IoT devices underscore how critical the proper IoT security can be, especially when you consider that a smart device can be used as a jumping off point to hijack an entire network (and vice versa). U.K. hospitals were hit hard by last year’s WannaCry ransomware cyberattack, which cost the U.K.’s National Health Service almost £100m (despite its paltry $300 price tag for decrypting data) and led to the cancellation of 19,000 appointments. While the U.S. pretty much avoided the scope of the attack, there were some reports of U.S. hospitals being hit, including one hospital that had its radiology equipment hacked.
For a peek into how clever criminals can be, we can look to the Mandalay Bay Casino hack, in which its high-roller database was stolen via a compromised, internet-connected fish tank thermometer. And security researchers have demonstrated how everything from Wi-fi-enabled Barbie Dolls to Samsung TVs can be hacked.
The biggest issue with securing the IoT is that like the internet itself, the IoT ecosystem was not built with security in mind. All layers of the stack IoT -- the hardware, software, etc., are vulnerable and inherently insecure across multiple fronts, and manufacturers are not yet incentivized through regulation or public pressure to change that.
Plus, implementing standards and best practices across a global, multi-pronged supply chain requires governments working in unison to create and enforce global standards. The global manufacturers who produce so many of the cheap, rushed-to-market IoT goods in countries prized for their cheap labor costs and low regulatory bar are not likely to start thinking about cybersecurity any time soon. At the consumer level, many are still clueless or uninterested about the weaknesses in their connected doorbells, and at worst, indifferent.
The problems are massive, but Schneier spends almost half the book on how we can fix the problem. In short, he suggests a model consisting of technology and policy -- a mix of well-crafted, enforceable government regulation and industry-wide adherence to strong security standards, such as those outlined by the National Institute of Standards and Technology (NIST).
Schneier’s book is particularly timely in that is was published just as signs of change have begun to appear on the horizon. Six months ago, the European Union passed the General Data Protection Regulation (GDPR), which outlines very clear requirements for the use and handling of customer data. With a recent Facebook breach that impacted 3 million users, GDPR’s effectiveness will be soon be tested.
In September 2018, California Governor Jerry Brown signed SB-327, the nation’s first IoT-specific law. The bill has been praised by some as a good first step and criticized by others as being too vague. Either way, it’s paving new ground. Plus, because it applies to devices built and sold in California, it will have ripple effects that extend beyond the state.
We may not have to face down our own electric shavers as they try and cut our throats, but until security is baked into the manufacturing process for connected devices, we are leaving ourselves equally vulnerable. If I haven’t quelled your desire to use smart devices, here are some ways to do so as securely as possible:
When evaluating products, ask salespeople questions about their security features. If they have nothing to say, or what they tell you is not easily understood, ask yourself -- do you really need that cool new smart device?
If you are using apps to control your IoT devices (think smart home alarms or thermostats), consider using a VPN for your phone that includes basic web protections. There are plenty of options, both free and for a small annual fee.
Stay vigilant. any network-connected device can be hijacked, and phishing is still one of the most effective ways to deliver malware. Don’t assume your IoT devices are immune from email or web-based attacks accidentally unleashed on your smart devices from your laptop or desktop.