The security risks of IoT devices
The Internet of Things (IoT) isn’t a new concept, but it has gained momentum especially within the last year, as more and more connected devices have come to market. While connecting everything brings added convenience to our everyday lives, it’s crucial to understand what we may be compromising from a security perspective, and importantly, which devices could pose a threat either now or in the future.
With so many connected devices we decided to take a look at those that have made the headlines so far this year. Cars, for instance, have only recently become connected, although they have long been computerized. However, with poor Internet security expertise some manufacturers are being caught out.
In April, Cybersecurity experts Charlie Miller and Chris Valasek revealed a software flaw that allowed them to take control of a Jeep Cherokee on the move -- all from a laptop computer at home. Hacking into the Jeep’s electronics through the entertainment system, they were able to change the vehicle’s speed, alter its braking capability, and manipulate the radio and windscreen wipers. The two described the hack as "fairly easy" and "a weekend project".
A few months later, news broke that researchers had hacked a Tesla Model S, once again via the car’s entertainment system. Although it took closer to a year to pull this hack off, the researchers were able to apply the hand brake, lock and unlock the car, and control the touch screen displays. Tesla quickly developed a fix, which has been sent to all of the affected vehicles.
Hacked vehicles are an obvious cause for concern, but the hazards presented by apparently innocuous devices such as the "smart fridge" or "connected toaster" also warrant equal consideration. The thought of a hacker gaining control of your refrigerator may be less daunting than them taking control of your steering wheel on the motorway, but these products can act as a gateway to much more sensitive information.
An example of such a hack was the recently exposed man-in-the-middle vulnerability of a Samsung smart refrigerator: its calendar integration functionality provided hackers with access to the owner’s network and the ability to steal linked Gmail login credentials. A similar weakness has been identified insmart light bulbs, when hackers were able to obtain the passwords for the connecting Wi-Fi network as they were passed from one bulb to another.
IoT devices, however innocuous they may seem should be thought of as a point of entry. Think of it like leaving the window open in your spare room; there may not be anything of value in the room itself but it allows access to the rest of your home unless properly secured.
Security myths around connected devices are also plentiful. One such area is smart medical devices. Most personal devices aren’t connected to the Internet at all; they use Bluetooth to connect to other smart devices. Most medical appliances are too small to allow integration of a mobile phone connection and, in any case, consumer concerns over placing phone transmitters in the body restrict the development of the technology. Therefore, hacking a pacemaker or similar device is highly unlikely at present.
Another IoT fable, at least for the time being, concerns smart watches. Again, the majority simply do not connect directly to the Internet. That being said, HP has found some major areas for concern in many smart watches, including insufficiently robust authentication, vulnerability to man-in-the-middle attacks, and poor firmware updates. As Gary Davis of Intel says, the real weak link is the user’s mobile phone: most wearables link to phones, which by comparison hold vastly more personal data and exhibit many of the same vulnerabilities.
However, wearables are an area for concern -- it’s the information that they hold that can be valuable. For example, this year, some music festivals allowed participants to load their wristband pass with credit card information, thus avoiding the need to carry a bag or wallet, or to have to dig around for change in the middle of a busy crowd. Simply holding their wristbands up to the vendor’s reader was enough to pay for drinks, food and merchandising.
Sounds cool and convenient, right? But as people left the festival others were lined up at the exit, eager to buy their wristbands. Sell it, and the buyer only has to crack the wristband’s four-digit PIN to gain access to the credit card information: a relatively simple matter.
Wearables, particularly fitness trackers, have taken off in the past few years. Figures for 2015 show that 14 percent of UK adults own a wearable device or smart watch (as compared to 63 percent who own a smartphone or tablet). The market for health and fitness devices and smartphone apps has doubled in the last year. Users may not realize that wearable tech creates new opportunities for a massive quantity of private data to be collected.
Symantec threat researcher Candid Wueest recently told Wired that the danger of wearable devices at this point is that developers are not prioritizing security and privacy. His research found some devices that sent data to a staggering 14 IP addresses; and at a Black Hat demonstration, he identified six Jawbone and Fitbit users in the audience, and specific details about their movements -- down to the time they left or entered the room.
So, before you place your order for that new fancy fitness tracker or that swanky internet connected fridge, take a moment to consider the points below:
Make Security a Priority
Just as with any other tech device, back up your data. Most people don’t start regularly backing up data until they have lost their photos/tax returns in a hard drive crash; security tends to be a secondary consideration until you become a victim.
Ensure you know what a device does, how it is secured and how to minimize opportunities for fraudulent individuals to misuse the information it holds or gives access to.
For example, consider buying a wearable that comes equipped with remote-lock capabilities, so that you can lock or erase its data if it is stolen. As always, use a password to protect your device; use biometric authentication whenever possible; and pay attention to user reviews.
Andy Thomas, managing director, CSID Europe
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.