The message in a social media meme circulating recently is stark: a black-and-white picture of a frightened woman on the phone, captioned: “People in the sixties: ‘I better not say that or the government will wiretap my house,’” opposite a contemporary shot of a woman talking to a speaker, captioned, “People today: ‘Hey wiretap, do you have a recipe for pancakes?’”
The Internet of Things (IoT) and its offshoots—the connected home, car and self—are quickly becoming facts of 21st-century life. Faced with urban legends about smart TVs recording private conversations, makers of those devices need to consider security factors. Hackers snooping via Alexa or turning household appliances into spam-spewing “thingbots” are concerns for individuals, while hacktivists, corporate espionage, and spying by foreign nations are growing concerns for businesses and governments.
“It’s really scary,” said Larry Ponemon, founder of the Ponemon Institute. “IoT is basically going to increase these data breaches and cyber exploits because it’s easier to hack your microwave or refrigerator.”
Privacy issues first arose with the initial generation of IoT devices, most notably wearable technologies, such as fitness monitors, wireless cameras, and GPS devices. The Owlet, a wearable baby monitor, was found to be hackable by scanning Wi-Fi networks, as were a number of Wi-Fi-enabled security cameras. Critics noted highly personal information—as basic as a person’s vital signs and state of health—could be accessed through wearables, which raised the specter of insurers redlining individuals based on their blood pressure or eating habits.
The latest generation of IoT technology—home systems that use voice search and predictive analytics to analyze behaviors and anticipate the users’ needs—would allow for deeper snooping if they are compromised. Your digital assistant really could wiretap your conversations, and your car dashboard could record your activities.
In many cases, even security-savvy companies can have blind spots for these innocuous objects. Ponemon notes that his company advised a defense contractor whose proprietary information had been inexplicably leaked to competitors in other countries. The investigation found a wireless printer in the office of the general counsel had been compromised, and rivals were looking at contracts and other information. The company was monitoring its network security but had neglected to watch the printer, explained Ponemon.
Gartner has forecast that 20.4 billion IoT devices will be connected around the world by 2020, up from 8.4 billion in 2017. That includes everything from smart TVs and thermostats at home to security systems in office buildings and medical devices in hospitals. Their vulnerabilities were demonstrated by the Mirai virus in 2016, which turned IoT devices into a botnet of zombie traffic for denial-of-service attacks around the world.
This is no Y2K bug that will fizzle in the harsh light of day, say experts. No sooner had the first connected cars come onto the market than videos began circulating of hackers taking over the controls. The open source library GitHub has a repository of IoT hacks that documents vulnerabilities in networked toys, security cameras, and even one sniper rifle, as well as a report of a spam attack where a bot used at least one networked refrigerator to serve malicious emails. Meanwhile, manufacturers are more focused on adding functionality to win the AI race than they are on creating safeguards.
Some such safeguards are “typical stuff and not limited to IoT devices,” explained Rick Howard, chief security officer of Palo Alto Networks. They include features such as “easy buttons” that let customers restrict who the device can talk to or lets them turn off internet access, as well as installed digital identity, a certificate that allows the customer and the manufacturer to know that the device is what it says it is. Other best practices include using default communications protocols and sharing them with the industry, according to Howard.
“The expectation is that people will be more responsible,” said Ponemon. But some companies, such as medical device manufacturers, are beginning to build security protocols on high-risk implantable devices, such as pacemakers, he added. This past August, the FDA recalled 465,000 Abbott pacemakers to patch a vulnerability eight months after it advised the devices could be hacked.
Lacking hack protection
Any number of connected appliances can be breached because many manufacturers have not included hack protection in them, noted Ponemon. Experts point out that making security protection – such as passwords and user authentication – the default setting, rather than leaving it to the user to set up, would strengthen the configuration.
However, ease of use and “frictionless” engagement have been big selling points underpinning the growth of consumer IoT devices. To marketers, adding safeguards, such as two-factor authentication, negates that product attribute.
Consumers aren’t clamoring for additional safeguards, however, said Howard: “The trend until now is that security or privacy features are never added to a product for the ‘sake of the customer.’ Rarely do customers demand such features, and almost never are they willing to pay a higher price for them.”
The chance that, once a device is compromised, others will follow is not the bigger problem at hand. Multiple systems are more likely to be compromised by spies than thieves or hacktivists, Howard says.
“I think it is rare that a hacker will try to compromise all the IoT devices in a victim’s network unless they are conducting espionage or influence operations,” he observed.
There is no need to panic about office equipment or kitchen appliances gone rogue yet, but most forecasts call for a rise in the hacks—and concern. IoT patches are yet to spark the kinds of consumer reactions that have followed traditional data breaches at retailers and other organizations.
Liability in cases of device hacks is still an open question, explained Howard. It’s unlikely that a motorist injured by a hacked connected car could successfully sue the automaker.
“There are a lot of variables that would have to fall into place for this to happen,” he concluded. “That said, if there were a class-action lawsuit where many victims had injuries or death resulting from an IoT device attack, then maybe.”