The “Internet of Things” is a phenomenon whose time has come, but not everyone is impressed with the results. While smart devices offer all sorts of convenience, they are also very problematic from a security perspective. When this thing reaches a point where the majority of our home devices are connected to the internet, network security becomes virtually impossible to guarantee.
Are IoT Devices Insecure?
There is no simple answer to this question, as it depends on the device in question. Some IoT devices are very limited in their capabilities and would never be able to handle things like encryption or firewalls, and these are inherently non-secure. That being said, some IoT devices are designed with security in mind, meaning that there is hope for them.
Still, security-minded IoT products are still very much in the minority. We hope that as this technology grows more popular, more IoT companies will take the threat seriously and start equipping their products with more robust anti-hijacking measures. Let’s take a look at the problem before we examine the solutions.
IoT Hijacking: Case Studies
In order to understand the threat, we should look at a few real-world examples. We might start by mentioning Google Nest, a platform under which Google has sold millions of smart devices. The Nest lineup includes smart thermometers, cameras, speakers, displays, smoke detectors, carbon monoxide detectors, and a whole lot more. It is basically Google’s attempt to create a universal IoT brand.
Unfortunately, this technology has proven to be quite vulnerable. This article alone details several disturbing cases in which Nest devices were successfully hacked. A couple from Wisconsin (only one of whom gave their name) says that a hacker turned their thermostat up to 90 degrees before hijacking a camera in the kitchen. After that, he began verbally taunting them and playing “vulgar music.”
The above was basically just an annoying prank, but there are more serious cases. For instance, a family in northern California experienced a serious panic after one of their Nest devices said these words: “North Korean intercontinental ballistic missiles headed to Los Angeles, Chicago, and Ohio.” Needless to say, there were no nukes headed toward the U.S., but this demonstrates how easily hackers can gain access to these devices.
Perhaps the most disturbing incident came from a Houston couple that used their Nest camera as a baby monitor. After running into their child’s room one night, they found that the camera had been hacked. It began threatening to kidnap their baby and saying other ominous things. Due to the extreme nature of the story, it has since become well-known.
Re-Thinking IoT Security
Although the incidents above did not result in serious harm, they are frightening reminders of how vulnerable these IoT devices can be. It’s only a matter of time before cyber-criminals find some way to profit from these hacks, and then it will be a whole new ballgame. Before that happens, IoT manufacturers need to start incorporating robust security measures into their devices. If they fail to do so, the public should punish their negligence by refusing to buy their products.
Although it might be a little premature, here is our list of security measures that we would like to see incorporated into the next wave of IoT devices. Hopefully, it won’t take a major incident to bring about those changes.
1. Intrusion Alerts
Some IoT devices are already offering this option on a limited basis, but that’s just not good enough. Every IoT device should have some kind of alarm that alerts the owner to suspicious activity. It would be best if the user could configure those alerts to weed out many of the false alarms, but any kind of intrusion alarm would be better than nothing.
Unlike a computer, IoT devices are often placed and forgotten. No one wants to go around checking their devices all day, so there needs to be a clear and obvious indicator of trouble. This could probably be done if they combined a packet monitoring program with a constantly-updated list of virus definitions.
2. Strong Encryption
Network encryption and disk encryption have both proven to be some of the most effective cybersecurity tools. In fact, they are one of the few security measures that are really trustworthy (as long as it’s done correctly!). Because the computer uses your password as a key with which to decode the rest of your data, encryption will generally be as secure as its password.
If these measures were employed on IoT devices, we would definitely see a lot fewer of these hacking incidents. Such barriers would keep out the average internet-troll-type hackers and may even be good enough to keep out the more highly skilled and dangerous variety of cyberattackers.
3. Tracing Capability
We all know that law enforcement has the ability to trace phone calls, text messages, emails, and most other communications. We can see reports in the news every day about this technology being used to catch criminals, so why hasn’t anyone applied that technology to the realm of private cybersecurity?
The answer, of course, is that they don’t trust the average person with those kinds of tools. There may be some wisdom in this, but at the same time, the ability to trace a hacker’s location would make any IoT device a lot safer. Even if it wasn’t effective in 100% of cases, it would serve as a powerful deterrent.
4. Firewall Blockers
Although firewalls are not necessarily the most powerful security measure, we think that they have a lot of potential in this situation. Generally, an IoT device will only need to connect to the internet on a limited basis. That means they will only need to communicate with a small number of sites. Thus, you can whitelist those sites and set your firewall to block everything else. This is a simple measure that would be inexpensive to implement, and would probably make it a lot harder to hack IoT devices.
Conclusion
If these four measures were implemented on every IoT device, we believe that these incidents would become rare. After all, many hackers are not serious enough to attack a well-fortified position, and they have no real motivation to do so anyway. Most of the attacks we have seen thus far have amounted to nothing more than malicious “trolling,” mostly because hackers have not yet figured out how to monetize this method. Wouldn’t it be better to secure these devices before they become a major problem?
To learn more, feel free to call PCH Technologies at (856) 754-7500.