On October 21st, 2016, the leaves weren’t the only thing falling down. Dyn, a company that controls a significant part of the internet’s DNS infrastructure, watched as their servers shut down one after another due to a massive DDOS attack. The consequences were dire: access to Reddit, Netflix, CNN, and other popular sites was off for almost one day. One day might sound not that bad, but from the business point of view, it’s a disaster.
Let’s take a look at another example. On January 9th 2017, the FDA (Food and Drug Administration of The United States) had to make a statement that makes the DDOS attack above look like a scratch.
In other words, hackers can literally give someone a heart attack — a terrifying scenario, which, sadly, is closer to reality than ever before. There’s one thing both incidents have in common: the exploitation of IoT devices. On the first occasion, servers were attacked by printers, cameras, and baby monitors that were used as a botnet to flood the servers with requests until they crash. Hacking a transmitter to gain access to a cardiac implant is another example of IoT hacking.
What is IoT?
IoT is a network of interconnected devices that can share data with each other. Internet is inseparable from human communication, the development of the internet is the development of global light-speed communication between humans.
Internet of Things, on the other hand, is primarily defined by communication between interconnected machines, that separately have little to no purpose of being online (that’s why tablets and smartphones aren’t considered IoT devices).
The first IoT device dates back to early 1980. David Nichols, a graduate student at Carnegie Mellon ‘University’s computer science department, connected a coca-cola vending machine to his department’s main computer, which in turn was connected to ARPANET (an early version of the internet). This way, he was able to know the status of the drinks (full-empty/warm-cold) remotely from his computer. Vending machine and main computer exchanged information, and David was able to check the status whenever he wanted.
IoT in 2019
Almost thirty years have passed since the first IoT device, and the predictions are that by the year 2020, we will have over 50 billion IoT devices. That’s about six times more than the world population. Already called the fourth industrial revolution, it poses new challenges on all fronts.
One of the biggest problems is device security. Over the last thirty years, we’ve witnessed the expansion of the internet, the evolution of mobile phone into a smartphone, virtualization of money. New risks followed each stage of development: online communication is used for propaganda; smartphones for tracking; and bank accounts are emptied without the use of a gun.
There’s little doubt that connecting various devices to the internet and giving users remote access makes life more comfortable. However, comfort is a curse word for cyber security experts. Online security and privacy protection are frequently exchanged for ease-of-use, and IoT is no exception. Let’s take a closer look at what dangers lie behind the development of IoT.
The security challenges of the IoT
Internet of Things closely converges with the smart home concept. The fridge that alerts you you’re out of milk, an oven that you can heat by clicking smartphone on your way home, and baby cameras, among other things. That’s comfortable.
However, if any of these devices are not adequately secured, then it can backfire. Baby cam hacks already became a prank for tech-savvy teenagers, and you can check the reaction of the unsuspecting mother on this video.
Another threat is DDOS attacks. Up until now, the most common scenario is to infect as many computers as possible with malware that turns them into a botnet. Computers are relatively hard to hack though. That’s not the case with IoT devices. Even though these devices do have some computing power, it doesn’t come close to the capacity required to sustain a high-quality self-protection system. It is, however, enough to carry out a DDOS attack.
That brings us to the third challenge — gaining access to IoT devices. Currently, most IoT devices are sold and shipped with extremely weak security implementations, equivalent to “admin/root” router login combination. Device IPs are frequently exposed, and there’s even a search engine for IoT devices. Most users don’t read the manual closely enough, and manufacturers don’t put enough effort for their customers to at least change the login/password combination, meaning that a simple brute force attack can grant access to a vast amount of IoT devices.
First lines of defense
IoT is inevitably coming to our lives, and it is up to users to improve their safety. Luckily, there are cyber security groups like OWASP (Open Web Application Security Project) that launched the IoT security project in 2014. Ernst & Young released a report “Cybersecurity and the Internet of Things”, that elaborates on the probable dangers of the IoT. Education is the first line of defense, since everything is becoming Smart, so should you.
Second, hackers don’t look for hard targets. They look for “easy money.” Using a strong login/password combination for each device is a necessity.
Third, most IoT devices connect to the internet via the home router.
If your device is sending data in an unencrypted form, the communication can be intercepted, modified, and infected with malware and viruses. Until the devices come with hardcoded security applications, a VPN on a router is highly recommended. It encrypts all communication between IoT devices connected to the router and masks the IP address making it much harder to exploit your network for malicious purposes.
Last, but not least, online security is a marathon, not a sprint. If you’re planning to use IoT in your household, you will need at least some knowledge about IoT security. Just the way locking doors is not a one-time thing, securing expanding network of networks can’t be achieved with one gesture, but with constant vigilance and improvement.