With the advancement of the ‘connected cloud’ the Internet of Things (IoT) has also taken flight. Not long ago, IoT was a futuristic glimmer in the eye of blue chip brands like GE and Viking. Manufacturers of refrigerators, toasters, microwaves, and printers would have had to store data locally on the device itself instead of processing data in a cloud-based data center. So, what does this mean for the average consumer when it comes to ensuring their household is secure? It means watch out for IoT botnets, otherwise known as a group of internet-connected computers, appliances, or devices that have been co-opted to launch a cyber-attack, because the results can be devastating.
Nearly any internet-connected device can be considered an IoT device. With our growing reliance on the internet, the number of devices capable of being hacked and used as part of a botnet has increased dramatically. By some accounts, there will be over three IoT devices for every human on planet earth by the year 2020.
Since computers are being embedded into commonly used devices such as toasters or AI-powered personal assistants like Alexa, any data or security breaches will affect our daily lives—not just our data. We cannot rely on the market to solve this problem alone. Governments need to step in and regulate this increasingly dangerous industry.
A U.K. government-backed scheme aims to tackle the issue of poor security in the Internet of Things (IoT) by encouraging manufacturers to produce connected devices that are secure by design and easy to update. A new practice called the ‘Secure by Design Code’ for the IoT has been launched by the Department for Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) and is based on collective advice from industry, security experts, academia, and consumer organizations.
Guidelines include telling hardware makers to eliminate universal default usernames and passwords for IoT devices, to ensure that products aren’t sold with basic login credentials that can easily be breached by attackers. Poor password security has been the cause of several IoT-related security breaches.
From baby monitors to doorbells, no household device (or car) is safe…
We’ve already seen hacks against robot vacuum cleaners, ransomware that shut down hospitals and denied care to patients, and malware that shut down cars and power plants.
These attacks will become more common, and more destructive. Computers fail differently than most other machines: It’s not just that they can be attacked remotely—they can be attacked all at once. It’s impossible to take an old refrigerator and infect it with a virus or recruit it into a denial-of-service botnet, and a car without an internet connection simply can’t be hacked remotely.
Speaking of cars… those are just a giant computer on wheels. Cars of the same make and model can be made to run off the road, all at the same time. Think of the pandemonium that this would cause. Earlier this year, USA Today cited a well-known 2015 hack involving a Jeep Cherokee and prompted Fiat Chrysler Automobiles to send UBS sticks with software patches to the owners of 1.4 million cars and trucks. Hackers infiltrated a vehicle through a minor device, such as an infotainment system, allowing them to take control of the vehicle’s door locks, brakes, engine or even semi-autonomous driving features.
Someone needs to be held accountable…
Last month, Bloomberg reported that China inserted eavesdropping chips into hardware made for American companies like Amazon and Apple. The tech companies all denied the accuracy of this report, which precisely illustrates the problem. Everyone involved in the production of a computer must be trusted, because any one of them can subvert the security. As everything becomes a computer and those computers become embedded in national-security applications, supply-chain corruption will be impossible to ignore. This affects the retailers and ultimately unwitting consumers.
These are problems that the market will not fix. Consumers cannot differentiate between secure and insecure products, so sellers prefer to spend their money on features that buyers can see. The complexity of the internet and of our supply chains make it difficult to trace a specific vulnerability to a corresponding harm. The courts have traditionally not held software manufacturers liable for vulnerabilities. And, for most companies, it has generally been good business to skimp on security, rather than sell a product that costs more, does less, and is on the market a year later.
IoT Hacks Are Expensive…
Statistics published in August 2018 indicate there are more than 17 billion connected devices globally, per IoT consulting firm IoT Analytics. Whether from DDoS or other attack vectors, the cost can be in the hundreds of thousands of dollars. In one 2016 attack, security cameras were among the IoT devices affected in an issue that took the KrebsOnSecurity website down for 77 hours and cost consumers more than $323,000 due to the resultant excessive power and bandwidth consumption of consumers’ devices.
If IoT devices frequently become associated with disturbing consequences, people may decide they’re not worth the investment. Such an outcome would dampen consumer spending on IoT devices, leaving device makers scrambling to recover from thwarted growth projections.
The more we rely on connected devices, the more we need to be aware of the downside of the conveniences afforded to modern society. As privacy and safety concerns arise, consumers need to take precautionary measures into their own hands. Until governments regulate the supply-chain, the old adage of “caveat emptor” is more true today than it’s ever been.