The Danger of the Internet of Things
Like it or not, the so called Internet of Things is here, and it’s only just beginning. You can now buy Internet-connected versions of many major household appliances including your kettle, refrigerator, smoke alarm, thermostat and (if you’ve got the money to spare) systems for controlling your entire house.
What’s the Problem?
Now, I’m the first to admit that having an Internet-connected thermostat sounds like a brilliant idea in theory. As a security professional I’m worried that such a device presents a significant risk to the security of my home.
Why? It’s quite simple really. Should someone manage to link their smartphone with my Internet-connected thermostat, they could do a lot of things that might cause me problems:
- They can tell when there’s no one in the house – as the thermostat automatically lowers the temperature when it stops detecting movement.
- They could tell the thermostat to raise or lower the temperature – potentially putting the lives of people in the house at risk.
Now I know that the designers of the Nest Learning Thermostat have built technology into the product to make the pairing process, and app communication as secure as possible. However, if someone manages to get access to your Nest Account, they have access to all the devices connected to it from anywhere.
Internet-connected refrigerators have already been proven to be susceptible to attack, and have even been used to send spam e-mail messages. If this happened to your smoke alarm, could you really trust that it was protecting you?
Why the Internet of Things is Such a Big Deal
The Internet of Things has been talked about at length for years. However, it hasn’t been until recently that we’ve had the technology to make the most of it.
The fact that whenever you install an Internet connection in your house these days, it is most likely distributed through some form of wireless network, has given consumer electronics manufacturers a way of connecting your appliances to the outside world more easily than ever before.
This ease of connectivity comes at a price though – your wireless network is only as secure as the passphrase that protects it. If that is easy for someone to guess, then everything connected to it becomes a target.
Now, this may not be such a big deal if your wireless network only has computers connected to it, that aren’t switched on all the time. However, if you have started filling your house with “connected devices” (TVs, Blu-ray Players, etc.) then the risk posed by someone gaining access to your wireless network increases greatly.
I Can See You
If you have a new “Smart TV” that has a built-in web cam for example, it has already been proven that malicious individuals could get access to the camera and see what was happening in your house.
Even if all you have is a standard networked web cam to keep an eye on things you care about, several security researchers have shown that most people do not set these up properly and that they can be accessed by anyone.
Now, is this purely a result of the Internet of Things crowd making us believe that we need all of our devices to have cameras so they can recognise us? I don’t think so.
People have been installing cameras in their homes and offices, and connecting them to the Internet long before anyone ever heard of the Internet of Things – and they’ve been attacked and compromised but probably never knew about it.
If your office was broken into, would you instinctively look to see if someone had gained access to your surveillance system to find out where your security guards were (and make sure they didn’t run into them)? Of course not, as you still think of your cameras as they would have been had you been using CCTV – completely isolated and only accessible on-site.
This is because the companies that used to supply standard CCTV systems, that were only accessible on-site, started adding the ability for you to monitor your systems externally. The easiest way for them to do that was to make them accessible via something your company already had: an Internet connection.
It doesn’t take a genius to see what happens to an inherently secure system when you connect it to something that is by it’s very nature insecure. Small hint – it is no longer secure.
Is It Getting Hot In Here?
Thermostats with interfaces you can access via a computer are also nothing new and people have still opened those up to the Internet at large, all in the name of convenience – without even stopping to think about what impact that will have.
Just because the thermostat on the wall of your meeting room has a web interface that allows you to control it remotely does not mean you should open up access to that interface from the Internet so you can control from home it should you forget to switch off the air conditioning.
If you are going to need to do that, at least make sure you make it accessible through your existing secure remote access technology, so someone just casually scanning the Internet doesn’t find it.
Let There Be Light
One of the most bizarre things to appear as a result of the Internet of Things revolution are light bulbs that you can control from your smartphone.
Now, I can understand why you would want to control your lights with your smartphone. After all, you use it for practically everything, it’s never too far from you, and light switches are so 20th century. However, you may want to stop and think about what could happen if someone else managed to gain control of your lights.
If someone else managed to gain control of your lighting system, they could probably only annoy you by turning the lights on in your bedroom while you’re trying to sleep – or turn them off and stop you from being able to turn them on again. However, if they could tell the light bulbs to switch on and off rapidly, they may well cause serious harm.
Just How Far Will the Internet of Things Go?
The problem with this new era of connected devices is that companies are constantly looking for ways to enable you to control everything from your smartphone, so I don’t expect the Internet of Things train to stop any time soon. In fact, I expect that things are likely to get a lot worse.
Apple recently announced CarPlay – a system that enables car manufacturers to provide direct integration of iOS into their cars. This enables iPhone users to access their Messages, Maps, Contacts and many of their apps directly from something that is connected to the rest of your car.
Google is also working on a similar system for Android devices. However, I really hope that Google re-thinks it’s policy of allowing anyone to post apps to the Play Store if you can start running those apps on your car, as we already know that there is a large amount of malicious software available for Android devices purely because Google doesn’t control the Play Store.
This is not to say that I think the Internet of Things is a bad concept, just that I feel that the companies creating all this new technology really need to start engaging with the security community so we can help them design the most secure systems possible.