The number of Internet of Things (IoT) devices in use is forecasted to hit 8.4 billion this year. That’s more than the human population on planet Earth. And with successful attacks like Mirai (which was the malware used in the 2016 Dyn cyberattack) already a part of the IoT story, there’s plenty to worry about.
It’s crucial we give this latest market exuberance a brief time-out. Unfortunately, the chances of that happening are fairly unlikely. So, what to do between now and the next zero-day exploit?
I’m specifically recommending a cyber “time-out,” and not a “breather” or any other term signifying a pause or cessation of activity. IoT technology is in its infancy and growing faster than projected. And it’s flawed.
Connected devices have not been around very long, and yet they’ve already managed to cause no end of trouble—whether we’re talking about hijacked baby monitors, IP cameras, or exercise trackers that broadcast granular details about your sex life to anyone who might be curious about it.
We need a time-out to think through and implement best security practices for the IoT market.
Are Connected Devices a Cyber Catastrophe Waiting to Happen?
With total spending on IoT or connected devices pegged to hit $2 trillion this year, the market is undergoing a period of staggering growth.
IoT is increasingly present in daily life. It can be found in kitchen appliances, cars, health care equipment, toys, exercise gear, and peripherals like watches and monitors. It’s in security systems and many of the creature comforts populating our homes.
On all fronts, the upside is impressive. Consumers get to shop for a whole new universe of things they never knew they wanted, and manufacturers are increasing their revenues. In case you don’t have the figures handy, the revenue target for 2017 represents 31% growth over the previous year.
Sounds great, right? But while everyone benefits from the hunger for next-generation, hyper-connected everything, consumers may lose sight of the security pitfalls associated with them. At the risk of being a killjoy, I believe it doesn’t just seem reasonable, but absolutely essential, to assume many new devices currently hitting the IoT market aren’t cybersecure.
So, while the boom in connected devices looks like a win for everyone, it’s not. When consumers connect new devices to the Internet, their attackable surface expands. Data is being moved around. New doors are opened.
Even the most cursory look backward reveals the likelihood of future attacks.
New Products, Better Prospects?
Nest is a popular smart home player in the IoT sector. The company just released some new devices, including home security cameras, which made me wonder about the lessons learned from recent zero-day fails.
In the Persai/Mirai catastrophe, IP cameras and routers were hijacked and roped into a botnet that hackers used to launch a massive distributed denial of service (DDoS) attack against Dyn, which routed traffic for major websites. The sites affected by the attack included The New York Times, HBO, PlayStation, Etsy, Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, and PayPal.
The Dyn attack was the direct result of rushing connected devices to market. IoT devices were sold to consumers with default passwords that many people never bothered to change (some don’t permit passwords to be changed), security taking a backseat in the race to the marketplace. While there was little to no issue with the affected devices on the consumer end, the hackers were able to use all those points of contact to launch the crippling attack on Dyn. And yes, that attack affected everyone. A back-of-the-napkin estimate on total cost is in the billions, not millions, of dollars.
In addition to Nest, I reached out to other IoT device manufacturers this week to hear what they’re doing to protect consumers in the wake of the Dyn attack and the mad rush to cash in on the robust market for connected devices. Of the 10 companies I contacted, only three got back to me.
Both Nest and Vivint (a leader in smart devices with excellent security) responded with answers that were music to my cyber-paranoid ears, though I’ll spare you the details. The same was not true of the third response, which came from a Honeywell representative: “I’d need quite a bit more time to fact check answers through our various businesses given the breadth of your questions.”
My questions:
There have been many instances of cams with factory-default passwords getting hacked—do new [Honeywell] cam products require the end user to create a secure password before they will function? Do they allow the consumer to create a password? What security measures were designed into the product?
What measures have been taken to protect other smart home products from hackers?
These questions are elementary. One has to suspect the reason so many companies failed to reply is that they don’t have great security built into the design of their products.
The takeaway here is simple, but important. When you are shopping for a connected device, security should be the first thing you ask about—even before checking out proffered features. The future is as safe as you make it.
