You might just be part of the problem: the cybersecurity risks of a connected home
For the past few years we’ve all been watching governments and businesses publicly grapple with tremendous cybersecurity issues. From devastating data breaches to record-breaking DDoS attacks, ransomware payouts, malware injections and exploited vulnerabilities that should’ve been patched years ago, there seem to be new horrors all the time and organizations are buckling because of them.
If you’re like many people (many, many people) you probably watch this cybersecurity circus from afar, feet up on the couch, iPad in your hand, thinking about how glad you are that you don’t have to deal with those problems. And maybe you don’t. But if you tune into a smart TV, keep track of your napping baby with a wireless monitor, have a fridge that can tell you when you’re out of eggs, or make use of any other smart device then, well, you better guess again.
The Internet of impressive Things
The Internet of Things or IoT is the global network made up of connected devices capable of collecting and exchanging data. If you have a device connected via WiFi, Bluetooth or similar protocols, then you have an IoT device. The IoT is currently billions of devices strong and consists of everything from CCTV cameras and DVRS to smart thermostats, coffee machines and washing machines to fitness trackers, smart watches and headphones to pace makers and wireless vital sign monitors.
As such, the IoT is vast and – it must be said – very cool. At its best not only does it make life easier, more fun and more interesting, but it can also literally save lives and improve health. At its worst, the IoT represents billions of potential vulnerabilities, and cyber criminals are pouncing.
Since its inception, the IoT – and the people creating devices for it – has been largely focused on innovation. To that end it has certainly succeeded. But with such an emphasis on inventiveness and product performance, there’s been one major component of the IoT that’s been badly lagging behind: security.
The cybersecurity problems with the IoT are two-pronged. Firstly, as noted, many of the organizations behind the development of these devices have skimped on built-in security. Secondly, when people purchase these devices they tend not to view them the way they would a laptop or desktop computer, so even though those WiFi connections provide a pathway directly through the device and into the home, device owners don’t think to secure them. It’s impossible to assign an actual integer to it, but of the billions of devices in the IoT, the number that still use the default usernames and passwords is likely staggering.
Amazing as these devices may be, if they’re unsecured they present a hacking risk, one that puts not only the privacy of the owners at risk but potentially their health and wellbeing. The potential consequences for the owners of unsecured devices range from their images being stolen or broadcast via a hacked webcam or other video or photo device to financial data, login information or other personal information being stolen from any device that collects or transmits this information (including unlikely sources like smart refrigerators) to their health possibly being impacted by something like a smart thermostat or oven being tampered with. For instance, a connected Jeep was famously hacked by security researchers two years ago, who found they could make the Jeep veer off the road.
And this is saying nothing of the risk presented by smart medical devices. Johnson & Johnson has already publicly dealt with the nightmare of a security risk in its insulin pumps, while St. Jude has had vulnerabilities identified in its pacemakers and defibrillators. These vulnerabilities put patient lives at risk, with hacked insulin pumps as well as cardiac devices capable of causing fatalities. They also put entire hospital networks at risk, giving hackers unsecured entry points. While Johnson & Johnson and St. Jude have dealt with public fallout for their security flaws, this is just the tip of the iceberg for medical device cybersecurity risks. As of March 2017 there were 36,000 medical devices discoverable on the connected device search engine Shodan. While this doesn’t necessarily denote vulnerability, it does make these devices easily exposed to hacking attempts.
The bigger picture
All of these unsecured devices pose a risk to the internet at large in addition to their owners, making them a threat to essentially every website and every business. Unsecured IoT devices are being herded in huge numbers into IoT botnets which are being used to launch massive DDoS attacks. The most well-known of these IoT botnets is the Mirai, which was responsible for the record-breaking attacks of last fall, including the attack on the Dyn DNS server that took Twitter, Reddit, Spotify, the New York Times and over 50 other major sites and services offline. Hajime and Persirai are two other botnets famously feasting on IoT devices, but with so many unsecured devices ripe for the hijacking, there are countless other botnets doing the exact same thing.
Hacking and hijacking risks or not, the IoT is going to grow ever-bigger. It’s estimated that by the end of 2017 there will be 8.4 billion smart devices online. What needs to be growing right alongside the IoT is an emphasis on cybersecurity, but with a severe cybersecurity workforce shortage in the United States (currently 350,000) as well as around the world – one million at the moment – it remains to be seen how well IoT developers and owners alike will be able to keep pace.