IoT Insecurity – The Biggest Consumer Threat Ever?


What is The Internet of Things

Internet of Things Banner

The Internet of Things (IoT) is a term you’ve no doubt come across quite often but it’s one that also causes quite a deal of confusion. Wikipedia describes IoT thus:

The Internet of Things (IoT) is the network of physical objects—devices, vehicles, buildings and other items which are embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data.

In simple terms; the Internet of Things refers to everyday objects (or “things”) that are being offered with built-in network connectivity – “things” which hook directly to the internet, all by themselves, without needing a computer to interface with. More often than not, these are things that:

  • Are widely known and commonly used.
  • Were not originally designed or built specifically to be part of the internet.
  • Perform functions that do not normally require the internet.
  • Have worked fine for years without being connected to the internet (but would potentially be more useful if they were).

Typical examples might be cameras, TVs, music players, even fridges.

There has been a lot of heated discussion centered around the potential pros and cons of IoT. Potentially, it could open up a whole new infrastructure of simplicity and efficiency, however, real world experience to date is telling us a different story.

The Insecurity of IoT

iot-security

History has already shown us that this technology is prone to abuse – remember the furor over Smart TVs phoning home with more than mere statistical data? As the technology spreads, more and more reports of poor and malfunctioning security are coming to the fore. Just a few days ago, highly respected investigative reporter Brian Krebs published an article titled “This is Why People Fear the Internet of Things“- here is the introductory paragraph from Brian’s informative report:

krebsonsecurity-logo

Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.

Definitely suggested reading.


This was followed a couple of days later by an equally alarming report from Paul Ducklin at Naked Security called “More IoT insecurity: The surveillance camera that anyone can log into“. Paul’s article is centered around a popular DVR (Digital Video Recorder) which has its root password hard-coded into the firmware. Not only can’t the password be changed but it’s also plainly visible in the firmware. Paul concludes:

naked-security-logo2

Until the IoT market matures and starts taking security seriously, we suggest that you keep these devices segregated on a subnetwork of their own, behind a firewall that only allows you to connect through if you login to a Virtual Private Network (VPN) first.

These are not isolated instances, it seems that, for the moment anyway, manufacturers are being very lax with regards to the security of these networked items. Even if not blatantly abusing the system, this casual attitude clearly creates a monumental privacy/security risk for consumers. Part of the problem is that these things are often built to a price with the “cool” factor taking precedence over security.

Much like the database breaches we have been hearing of almost daily, one wonders how long it will take before regulations are put in place, not only to ensure consumers’ security/privacy, but also to enforce culpability on those who are ultimately responsible.

For now anyway, it appears that any IoT device should be approached with a consummate sense of caveat emptor.

 

Posted in:
About the Author

Jim Hillier

Jim is the resident freeware aficionado at DCT. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele... as well as writing for DCT, of course.

There are 4 comments

Your email address will not be published. Required fields are marked *