The smart devices making up the Internet of Things (IoT) is a Wild West when it comes to quality and security, and consumers need to understand the risks they may face.
While IoT devices bring new conveniences and possibilities for the average user, they also open up a Pandora’s Box of potential problems, from eavesdropping attacks to lending your home to an online criminal gang.
The bottom line: Cheaply made, mass-produced IoT devices are hacks just waiting to happen.
IoT devices aren’t built with security in mind
Generally speaking, IoT devices aren’t built with security in mind. But even if they are designed with some security features, these often turn out to be too basic or flawed to be effective. At the same time, all IoT devices will need to run regular software and firmware updates in order to run properly. This is where IoT gizmos run into a snag.
First, the smart device likely runs on a bunch of third-party software, developed by people and companies other than the company that sold the product. The IoT device maker will need to be proactive about channeling new updates from outside software into its own product and pushing those through to the end-user. It’s not uncommon for patches to fall through the cracks.
Second, if updates aren’t run automatically but instead require user action — such as logging into an online account to check for updates, or, as in the case of firmware updates, restarting the smart device — the chances of an update being performed are low.
All of this factors into the performance, stability, and security of the smart device.
Like adding a new door or window to the house
I’ll go into several of the hacking risks below, but what is most important for consumers to realize is that buying an IoT device is sort of like adding a new door or window to a house — but one that is potentially accessible to the entire world.
Just as you wouldn’t install a new door without fitting it for a lock, you also can’t incorporate IoT into the home without enabling security. Not doing so is just asking for trouble.
Here are the top risks with low-priced IoT devices:
Freaky spying attacks
A hacker can use the smart device to gain virtual access inside the home. This includes spying through the embedded camera and microphone.
Just think about all of the baby monitor horror stories that have popped up in recent years. Any cheaply made smart device that sports internet connectivity and communications features, such as cameras and mics, could be hijacked in a similar way — whether it is a connected kids’ toy or a home security camera.
It’s not just the actual device that’s at risk, but also the back-end network and the company behind it.
In 2018, the customer database of the CloudPets smart toy manufacturer was breached by hackers who stole information on 800,000 users.
Data breaches are common enough with retailers and websites, but connected devices pose a whole new set of risks due to the personal nature of these products. Because of the interconnectedness and “smart” capabilities of IoT products, financial and personal information theft are all possible. Of particular concern is health information (currently the most valuable commodity on the Dark Web), and this could become a bigger threat down the road, particularly if IoT devices create/store health records or share access to medical providers.
Smart locks are one example of this. Recently, security researchers found that the technology used to pair a user’s smartphone with these locks (known as Z-Wave) is easy to intercept and copy. This means someone else could gain control over the smart locks to break in. Ethical hackers have also bypassed fingerprint-based smart locks.
Researchers have also demonstrated how criminals could bypass a home alarm system by hacking into poorly configured “smart” sprinklers — or any other smart device that shares the network.
It’s easy for malware to infect IoT devices, because they are largely unprotected from it. The most common malware today are cryptominers and botnets. But in the future that could change.
What is most concerning from a security standpoint is that an IoT device is a gateway into the larger network of a home or office. Consider the example of a home security cam. First of all, there’s no antivirus alert on a security cam, so you wouldn’t know if it was infected by stealthy malware. This malware could then use the camera as the staging ground for secondary attacks on other devices connected on the same network, like a WiFi router, computer or printer.
This makes IoT devices a good target for information-stealing Trojans and self-propagating “worms.”
Technically, IoT ransomware has already happened — with the WannaCry ransomware attack in 2017 — but it will become a much bigger problem in the coming years.
Cyber extortion is big business, and it will gradually extend to consumer devices, as well. More likely than not, this will take the form of ransomware which bricks the smart device until a ransom is paid in bitcoin. Should hackers target high-priced items with ransomware, it will become a major headache for consumers. Imagine a washing machine or refrigerator that suddenly stops working — or the car in the driveway.
Harassment and domestic abuse
IoT can also become a tool for abuse.
This problem will only get worse over time, and it’s important — particularly for women — to be aware of the risks. Just as you wouldn’t want an ex to have a key to your house, you also don’t want them to maintain access to these embedded devices. Changing the password and permission settings is one way to address this, but if it’s a poorly secured device, that may not be enough.
Riskiest devices to buy
Generally speaking, the more access you give to a smart device, the more at risk you are if the device is compromised.
Therefore, the highest risk devices are those that control or regulate some aspect of a person’s health, interact with children, control physical access to private property or allow access to highly sensitive personal information such as medical or financial records. That means medical devices, kids’ toys (anything with a webcam and/or microphone), locks and security systems, and any gizmo which creates, stores or access personal records are all above-average in risk.
Of course, the manufacturer matters — one smart lock developer may be more secure than another — but even with a trusted brand, consumers need to remember that security is never guaranteed. Anything can be exploited.
The best advice is to know the risks and limit your exposure to smart devices.
Sure, these gadgets can be a lot of fun to have around the house, but maybe it’s not such a great idea to have that web-enabled smart TV on the dresser facing your bed. In fact, web-enabled cams are just a bad idea in general. Whether it’s in a TV, a kid’s toy or a security system, any time you add this feature to a device you are also creating an open channel for a hacker to gain access into your private life.
For those who own smart devices, at a bare minimum you need to do five things: (1) make sure the web connection is encrypted (HTTPS); (2) reset the password; (3) check regularly for firmware and software updates; (4) keep your IoT gizmos on a different WiFi channel than the home computer (most modern routers allow you to do this); and (5) don’t share anything with an IoT device that you aren’t willing to lose, whether it’s private information or access to your personal space.
Jason Glassberg is co-founder of Casaba Security, a cybersecurity and ethical hacking firm that advises cryptocurrency businesses, traditional financial institutions, technology companies and Fortune 500s. He is a former cybersecurity executive for Ernst & Young and Lehman Brothers.