Companies across the world release the latest and greatest technology to pave the way for a brighter and connected future. When one says connection, it really begs the question, what is a connection? Moreover, how can it empower a brighter future? A connection in simple terms is a relationship between two objects or people. Connections occur in various aspects of our daily lives, but in recent years, it takes on a new definition. Meriam Webster’s Dictionary defines connection’s modified definition as:
a) “a means of communication or transport” (1).
In today’s world, that means something new. Now it refers to the physical connection or communication between wires that modern electronics have. However, this definition has changed once again. Wires that we once saw as a necessary component are now invisible and traveling through the same air we breathe. Technology we once saw as something out of The Jetsons is now populating home and office spaces worldwide. Our world is becoming connected, and fast. IoT devices or Internet of Things devices are bringing us the Jetsons-like future every day. For those who have been living under a rock or the like, these “devices” entail most electronics labeled “SMART” or “Wi-Fi enabled.” More and more devices like this are being released each month and with them comes great power. Devices like this are getting entrenched deeper into our lives. With this great power, as the saying goes, comes great responsibility. IoT devices can range from a simple Wi-Fi enabled light bulb to a Sensitive medical device like a pacemaker (Artificial Heart Pump).
Any device that falls into that category also falls under the definition of connected. If the owner of said devices can connect to them and utilize them for good, the potential for anyone to connect to them for bad arises too. Iot devices are popular, dangerously cheap, and insecure devices that can and will run rampant in people's personal lives until they are secured.
When looked over, as most people do, IoT devices seem like the fastest way to get Rosie the robot maid into our homes. Truth be told, people adore the idea of smart technology. Future technology like this simplifies life and eases the meticulous jobs that would have taken significantly more energy and time to complete. Take for example the various “smart vacuums” or as many know them, Roombas. Devices like this take away the menial task that is vacuuming, and instead, as someone enjoys a cold beverage, a small, connected robot goes to work. There are already hundreds upon thousands of these devices running rampant, and there will be more. Just how many? An article from nbnco quotes that, “A new report from consumer insights service Telsyte predicts that the average Australian household will have around 29 connected devices in just over three years’ time. That’s almost triple the devices we have now” (“Why the Internet:” 1). Worldwide it is an even more surprising story. At a little over 25 million IoT devices connected worldwide in 2017, this number is expected to grow exponentially. According to Dave Evans for the tech-giant Cisco, “Looking to the future, Cisco IBSG predicts there will be 25 billion devices connected to the Internet by 2015 and 50 billion by 2020” (3). With that in mind, it is clear that in the near future, IoT devices will be abundant to say it lightly. Such demand for these devices opens an ever-growing market. A market with a place for everyone, even those less savory.
IoT devices are a very profitable market. Components needed to make most devices can be bought in bulk from all over the world at pennies on the dollar. With a quick profit in mind, many manufacturers are drawn like a bug to a bright light. Companies large and small participate in selling these devices, which leaves a flooded and alarmingly insecure mass of smart home and life devices. Many times during production, across shady off-brand companies and large retailers like Belkin [Well-known smart home technology manufacturer] alike, devices are shipped out with known security issues. Security issues with devices like this can turn a seemingly harmless Wi-Fi enabled light switch—into a gateway. Brian Krebs, a network security researcher for KrebsOnSecurity adds, “The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords” (1). Krebs describes a specific vulnerability found in dozens of devices: printers, routers, and security cameras. Exploits like this are common among smart products, which are quickly manufactured to maximize profit without regard to device security.
Security and the word connected are words frequently heard these days. Clearly, in order for a product to be both useful and secure, those words must go hand in hand. However, with cheaply made devices in the “wild,” customers are more at risk than ever. Devices are sent out of the factory with default passwords or weak ones that are easy to crack. Many of said devices run a protocol in the background called SSH and or Telnet, which were created initially for development. However, these development tools stay embedded in the IoT devices throughout distribution and thus stay online—and vulnerable. When default credentials are tried against its weak authentication, the device logs the attacker in and allows them near full control of the device. Frighteningly, many of these devices are allowed to connect out to the public internet rather than just a local network. When an attacker or malicious software discovers said open devices, it uses scripts that are programmed to try default passwords. Once the attacker gains access, it is all over for the consumer. A hacker can use the device as a way into the network or they can add the device to a “botnet” [A specialized software that exploits the device’s computing power and uses it for something malicious].
Kashmir Hill, a privacy pragmatist, had this to say about IoT devices:
Googling a very simple phrase led me to a list of “smart homes” that had done something rather stupid. The homes all have an automation system from Insteon that allows remote control of their lights, hot tubs, fans, televisions, water pumps, garage doors, cameras, and other devices so that their owners can turn these things on and off with a smartphone app or via the Web. The dumb thing? Their systems had been made crawl-able by search engines – meaning they show up in search results -- and due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people's homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion. (Kashmir Hill 1)
With a simple google search, she was able to enumerate the default manufacturer passwords on this families’ smart home system. After she logged in, she was able to gain full control of their home. From here she could, as mentioned, open the garage door and allow anyone inside. Rather disturbingly, she could have escalated her control of the devices and gained specific control of the lights. With control of them, she could potentially tell the device to strobe causing anyone prone to seizures to have a sudden attack wherever they were inside the home. However, the greatest danger of all is the enumeration of personal data via control like the one Kashmir had. Having personal data and overall access to the device could lead to a whole host of other issues such as identity theft and botnets.
After the hacker/attacker has had their “fun” and sent someone’s life into a tailspin, they could potentially finish them off with their greatest enemy—themselves. Not literally, however in a sense identify theft does stem from this prospect. With the information, the hacker is free to decide the fate of the victim depending on the information gathered. If they are an average-day citizen, data like credit card numbers and potentially private medical data could be used against them for the extortion of more money. In addition, if not directly used by the hacker, they could sell the unsuspecting person’s data to “The dark web.” The dark web is what many call “the other side of the internet.” Using special software anyone can access websites that are not monitored by any one company or government, and so vast amounts of illegal websites are hosted here. Sites here promote the sale of drugs, weapons, personal hitmen, and credit/debit card dumps. Many call this place a true “hacker’s haven.”
Garret Graff for wired had this to say about a recent attack that had taken control of many devices using a similar method, “The new malware scanned the internet for dozens of different IoT devices that still used the manufacturers’ default security setting. Since most users rarely change default usernames or passwords, it quickly grew into a powerful assembly of weaponized electronics, almost all of which had been hijacked without their owners’ knowledge” (1). Once “hijacked” the attacker can use the raw power of thousands of “zombified” smart printers, cameras, etc. to attack websites. As they command the devices to attempt a connection said website, the pure power of the zombified device’s processing power take the servers down. Attacks like this, both personal, and large-scale, show that the current future of IoT devices is grim.
In the end, companies will continue shelling out millions of smart home devices no matter how dangerously insecure they are. New generations have a love and longing desire to use and utilize the latest and greatest technology. Most of them, however, like the better half of the world ignore their baby monitors or Wi-Fi enabled crockpots. Unfortunately, they will not act until it is too late—until the hackers have already won. On the same note, “winning” is only getting easier. Take for instance Amazon’s latest in the line of Echo products. In an article by Tom Warren, a writer for theverge he explains more about this device, “It’s no mistake that Amazon’s Echo Spot looks cute. It has to be cute and tiny to avoid pointing out that it is a computer with a camera staring at your bed. Amazon does not even mention the word privacy in its press release for the Echo Spot or its product page. The camera on the Echo Spot is primarily used to support video calling, but it could theoretically be hacked and used for malicious purposes.” (1). Amazon’s line of Echo devices has a mostly positive reputation for security so far, but there is great potential for even greater danger. In the technology world, it is unfortunate to say, but the only way a vulnerability will be discovered is for somebody to be the guinea pig. Somebody will take the unnecessary fall so that we can all be secure. One day we will learn—one day too late. “At the moment, in the race between IoT security and IoT adoption, the latter is winning” (“IoT is Coming:” 1).