Attack of the Internet of Things

Attack of the Internet of Things

Did you know that many of the connected devices around the world can be made to attack computers and websites? Well, it happens all the time. I don’t mean physically, like a connected toaster going over and jumping up and down on your tablet. But someone can design a virus that infects a thermostat, garage door opener, camera, games console, car navigation system, or electronic device that is connected to the Internet. The virus can command the devices to collect personal data, monitor your activities, record keystrokes on a keyboard or keypad, or contact a certain website...you get the picture. As the number of connected devices increases, more and more of these kinds of attacks are occurring.

IoT Security as SEP (Somebody Else’s Problem)

A lot of people are talking about problems of security as they relate to the Internet of Things, but no one seems to want to accept responsibility for it. It is has become, for most people involved, Somebody Else’s Problem, or SEP.
The idea of the SEP field was first pointed out by author Douglas Adams in “Life, the Universe, and Everything”, the third book in the Hitchhiker’s Guide To The Galaxy series.
As the character Ford Prefect says, “An SEP is something we can't see, or don't see, or our brain doesn't let us see because we think that it's somebody else's problem. That’s what SEP means. Somebody Else’s Problem. The brain just edits it out, it's like a blind spot.”
Many of the people working on Internet of Things devices seem to have a similar blind spot when it comes to the gaping hole that is the lack of security inherent in these devices. Writers seem to notice the problem, but the companies who actually make the devices seem to be happy to ignore it. Could it be that they are in an SEP field of their own or do they see the problem, but they believe that somehow, someone else is going to solve it?
Unfortunately, the world probably needs to experience a major event to illustrate how important IoT security is. Most companies involved are just content to go their merry way, creating more and more smart devices with the notion that someone else will think of a solution to the security problems instead of creating a solution on their own.

What is the Internet of Things?

The Internet of Things is the name given to the network created by all connected devices besides phones and computers. This would be anything from thermostats, surveillance cameras, smart TVs, refrigerators, and medical devices to manufacturing machinery that connects to other machinery or devices that measure settings and such. All of these things connect to the Internet and therefore, in a roundabout way, to each other.

Billions and Billions of Connected Devices

As this article was being written in 2017, there are an estimated 17 to 20 billion connected devices in the world. Experts say there will be anywhere from 30 to 75 billion Internet-connected “things” by 2020.
While it is great and convenient to be able to control “things” with your phone, other people have phones too, and unfortunately, it is not always difficult for them to gain access to your “things”, too.

The Internet of Things Strikes Back

In addition to taking control of the physical device, someone could take control of devices and have them attack other things on the Internet. For example, ill-intentioned hackers could use IoT devices to launch a DDoS (Distributed Denial of Service)  attack on websites. This is where they gain control of a device and direct it to contact a website, for example. If they have gained control of thousands of devices and have them all contact the website simultaneously, they could potentially overwhelm the website and cause it to go offline. Sites can be targeted for a variety of reasons. Paypal, Visa, and MasterCard got attacked in 2011, reportedly by members of Anonymous, when they stopped processing donations for Wikileaks. A spam detection company called Spamhaus was attacked for adding a hosting site to its list of spammers. In 2007 many of the government and media sites of the country of Estonia were knocked offline when Estonia decided to move a Soviet War monument to a different location. DDoS-for-hire services can be bought on the dark web.

TV Show Hacks Intelligent Personal Assistants

Humorously illustrating how easy it is, in the season premiere of South Park’s 21st season, a character gave commands to his Amazon Alexa and Google Home devices, which were then followed by the devices in viewer’s homes. Characters in the show gave voice commands that set viewer’s alarms and added things like “scrotum bags” to shopping their shopping lists.

IoT Devices Make It Easy

The ease of which IoT devices have been used as a source of attack by malware such as the Mirai botnet to attack websites is due to hundreds of thousands of IoT devices having easy to crack default passwords that are not required to be changed after installation. The Mirai malware targeted connected video cameras and home routers to attack the selected site, causing it to be inaccessible. Default passwords to IoT devices can be found on the Internet which makes it very easy to take control of them if the passwords have not been changed.

Connected Car Vulnerability May Turn Your Car on Itself

In August of this year Trend Micro released a report detailing a flaw in almost all modern cars that could allow participation in an undetectable Denial-of-Service attack. The report said the exploit would not be easy to patch and could take until the next generation of automobiles to truly be rid of the problem. The exploit could allow someone to hack into the vehicle, disabling certain devices in the car like brakes, throttle, or door locks. Currently, there is no patch to fix this problem in the works, and some experts claim it may not even be possible to fix. This means we have millions of cars on the road that could be hacked at any moment.

Who Do We Need To Worry About?

As if the thought of bad actors spying on us through our things isn’t bad enough, there are also entities like the device vendors, Internet Service Providers, and even our own government to worry about. There isn’t a set of standards as to what type or how much data a device should store. If, for example, a thermostat is programmed to turn on at 4:30 in the afternoon, and a would-be thief gains access to that data, he or she could reasonably assume that you will be arriving home shortly after that time, meaning there will probably be no one home prior to that time. If you have smart locks installed, they could hack into the device and unlock them to gain access to your home.
When, and how much, a device is used can tell a lot about the owner's habits.
Even by learning how much Internet use happens at what time of the day can tell criminals a lot about when people are home and when they are most active.

Vault 7 Release Says CIA Can Kill You With Your Car

Earlier this year Wikileaks released a series of leaked CIA documents they called Vault 7. Some of the documents detailed that the CIA was researching how to hack a connected car to clandestinely assassinate someone. Whether this has ever actually done is being debated. The release also talked about how other Internet-connected devices like televisions could be used to eavesdrop on the owners without their knowledge.

Too “Smart" For Our Own Good?

Of all the areas that are expected to grow in the field of connected devices, one thing stands out, they are all connected. Smart cars will be controlled by smart traffic lights on smart roads in smart cities with smart factories, smart homes, and buildings. The smart building will have smart security, smart climate control, and smart door knobs.  Almost all of these could be the target of a cyber attack.

The Great Air BandB Lockout

Problems don’t always need to be the result of an attack, a wrong update to smart doorknobs recently locked people out of some Airbnb rentals. Property owners had to send the locks back to the manufacturer for replacement.

Who is Responsible?

The smart product industry is so wide and scattered, no one is taking responsibility for overall IoT security. There is money to be made, so the industry is making money while the money is good, and worry about the fallout later. If this doesn’t seem likely that this is the business model, just look at the tobacco and the pharmaceutical industries. Some smart technology industry leaders are simply leaving it up to the government to enact legislation to solve the problem.

Federal Trade Commission IoT Workshop

In April 2013 the Federal Trade Commission announced that it would host a workshop on the privacy and security issues associated with IoT devices, and requested public input on the issues. In response to the request for comment, FTC staff only received twenty-nine public comments from a variety of consumer advocacy groups, academics, and industry representatives. It seems they did widely publicize the workshop.  Following the workshop, the Commission invited comments on the issues raised by the panels. In response, staff received seventeen public comments from private citizens, trade organizations, and privacy advocates.

Whether the poor response was due to the FTC not promoting the workshop, or just a lack of interest by the public, the response was decidedly underwhelming. Something, hopefully, other than a massive IoT debacle, needs to occur to make sure the overall situation gets resolved. It is something we all need to take responsibility for.

Things You Can Do to Protect Yourself

  • Know Before You Purchase

A little research before you buy can go a long way toward alleviating future anguish. Check the security features before buying a smart product, and make sure you can change the password once you have installed it.

  • Change Passwords on New Devices

Many security breaches get their start from devices that have never been changed from their factory default password. Change them as soon as possible and don’t use the same password over and over again.

  • Update Firmware and Patches

The recent Equifax breach could probably have been avoided if Equifax had installed the patches that were available for months before the breach occurred. Closing the gate after the horses escape is never effective.

  • Turn Off Device When Not in Use

Besides the fact that if a device is off it won’t be being used for any mischief, often when devices are turned off, and especially when unplugged, they reboot and might wipe out any malware running on the device. Many devices don’t have a lot of storage space so programs are deleted when turned off. Internet-connected cameras have been used in several attacks, keeping them turned off when not needed also protects your privacy in event of being infected with spyware.

  • Secure Router and WiFi.

Make sure firewall is enabled to help protect all the devices on your network. It only takes one insecure device for malware to get a foot in the door.

  • Keep Abreast of Security Issues

Many of the recent exploits had been disclosed in the media before being used on a massive scale. The WannaCry and NotPetya outbreaks were caused largely by the use of old, not-supported operating systems. Sure, you might save a bit of money running an old copy of windows, but if your whole computer gets held for ransom, you lose any savings.

  • Use Anti-Virus, Firewall, and VPN if Possible

The attack vectors are numerous, so make sure you have as many bases covered as are reasonable. VPNs, anti-virus software, and firewalls can all help. People turn over so much of their life to technology that a great deal of attention must also be paid to preventing losses from attacks.

If All Else Fails

And to ensure against the possibility of all the above failing, you can also get cyber insurance to protect your small business against cyber attacks. This is still an emerging market so make sure you research coverage plans to make sure you are getting the best deal.

Destroying Iran’s Nuclear Power Infrastructure

Worms and other malware can actually cause physical damage to connected devices. In 2010, a malicious computer worm called Stuxnet infected computer equipment used in Iran’s uranium enrichment industry and destroyed up to 1000 centrifuges.

The Big Picture

Even if you don’t have a lot of Internet-connected things, you can still be affected because many others do. Much of the public infrastructure relies on connected devices. If for example, the power grid went down it would affect pretty much everything else. ATMs and ATM cards could no longer be used. Traffic control could be shut down, food distribution could come to a standstill. Utilities like electricity and water could be shut off. Dams could be made to fail. In short, great havoc and pandemonium could be created. The threat of the whole Internet of Things is the sum of its parts. It is only because the many thousands of individual devices are not protected that it gives us a greater threat. If the individual devices are protected, with better security protocols that force you to change your password from the default, and the other actions mentioned above, then the Internet as a whole will be better protected.