Is this a science fiction? Not really, if your toaster is connected to the Internet.
Once hacked, the Internet-connected devices can form a powerful zombie-net that can take down even most potent corporate computers. This, however, is not a story only about a ‘smart’ toaster but also about all connected devices that make the Internet of Things (IoT). These ‘smart’ things can be exciting but also can increase possibilities of cybersecurity breaches, potentially turning our pleasure into a nightmare. We often choose convenience over security and privacy.
The connected world
The Internet is continuously evolving as we increasingly become connected via various digital devices, also known as ‘Internet of Things’ (IoT). This phenomenon can be described as a network of separate, uniquely identified devices that can have the ability to correspond with each other even without requiring human to human or human to computer interaction. The predictions over the last years suggest that there will be at least tens of billions connected devices by 2020.
These smart devices are communicating with each other and with us at an ever-increasing speed, which is reaching almost unimaginable heights. ‘Marea’, the Spanish word for ‘tide’, is the newest specimen of swift connectivity. The ‘Marea’ is an undersea cable, which lies on the ocean floor at a depth of about 3,350 meters, and spans 6,500 kilometres between Bilbao in Spain and the Virginia Beach in the US. This cable can transmit 160 terabits of data per second. More illustratively, this cable enables 16 million times faster than the average home internet connection! As Microsoft recently reported, the bandwidth of the cable is equivalent to 71 million HD videos being streamed simultaneously!
Google has also invested 300 million US dollars in the transpacific undersea cable that links the US with Japan and other countries in Asia as well as some states in South America. Google claims that the capacity of this cable is 10 million times faster than the cable connected modem.
Apart from being useful for economies, societies and individuals, this connectivity also allows cyber-criminals to attack targets anywhere in the world with lightning speed.
‘Smart’ Toaster and Internet of Things
So, why would anybody want a toaster connected to the Internet? What is wrong with our good old toasters with levers or knobs with familiar ding alert? Nothing, except that our delicious piece of carbohydrate can disappointingly burn while we are receiving that all-important social media notifications while our bread is being toasted.
These digital toasters are usually Bluetooth-enabled devices and controlled by a companion smartphone app with settings for temperature, bread type and darkness. There is even setting for gluten-free bread. This gadget can also seamlessly integrate with other ‘smart home’ devices such as a ‘smart’ fridge or digitally controlled lights.
This is, however, not the only story about a ‘smart’ toaster but also about all connected devices that make the Internet of Things. These devices increase possibilities of cybersecurity breaches, potentially turning our pleasure of using them for fulfilling our dreams into a nightmare.
‘Smart’ thermostats, watches, virtual reality headsets, video doorbell and surveillance cameras are practical examples of IoT. ‘Smart homes’, for example, use embedded sensors and activators that are self-configured and can be controlled remotely through the Internet-enabled monitoring applications. These devices are able to sense and record the owners’ activities in order to predict their future behaviour by adopting their preferences.
Economic growth of IoT-based services is considerable and also well-received by businesses. Healthcare IoT applications, for example, are projected to produce high economic impact. Healthcare applications, related to medical wellness, prevention, diagnosis, treatment and monitoring services, are expected to globally generate revenue of about 1.1 to 2.5 trillion USD by 2025. The whole annual economic impact caused by the IoT is estimated to be in the range of 2.7 to 6.2 trillion USD by 2025.
Although some sources, such as the IDTechEx, report points out that IoT is still just hype, it is evident that the digital connectivity between various devices brings many benefits. However, it also contributes to growing cybersecurity complexity as these devices open up more doors for cyber-attacks.
A significant number of Internet-connected devices are, unfortunately, lacking even the most basic cybersecurity protocols. Hence, it is often possible to hack these devices in a few minutes and steal individual or corporate data, conduct espionage or even cause physical damage to digital and industrial equipment. For example, the ForeScout’s IoT Enterprise Risk Report identifies seven IoT devices that can be hacked in as little as three minutes but can take days or weeks to remediate. According to this report, the most endangered devices include those used in the Internet-connected security systems. Needless to say that disabling these devices allows for an easy physical break-in.
Damaging the ‘smart home’ digitally connected infrastructure (e.g. climate control or energy meters) can be done by cyber-attackers tampering with temperature controls and destroying critical equipment. Smart video conferencing systems can be used by cyber-criminals for spying via video and microphone while the connected printers can be misused for accessing individual, corporate or government information.
Voice over Internet Protocol (VoIP) enabled phone connections are usually used by malicious hackers for snooping on calls while ‘smart’ fridges can be used for accessing user’s internal network for obtaining credentials. ‘Smart’ lightbulbs can be attacked in order to extract Wi-Fi credentials to carry out further attacks. And these attacks can be accomplished in less than three minutes!
The IoT devices that are not appropriately protected increases privacy and security concerns. As the Network World recently illustratively stated, ten years ago, most of us had to only worry about protecting our computers. Five years ago, we had to worry about protecting our smartphones as well. Now we have to worry about protecting our car, our home appliances, our wearables, and many other ‘smart’ devices.
There are four factors that generally underpin growing number of cyber attacks on the IoT devices. Firstly, a cyber attack can originate from anywhere in the world making the jurisdiction rather complex and limits prosecution of cybercriminals. Secondly, the existence of an underground economy, a virtual marketplace that is difficult to control and mostly take place on the Dark Web, encourages cyber-crime. Thirdly, cybercriminals are becoming more sophisticated and better technologically equipped as they are often sponsored by states or organised crime.
Finally, advantages that cybercriminals have over cyber defence lie in the fact that an organisation must defend against all the known vulnerabilities, whereas cybercriminals only need to exploit a single (known or unknown) vulnerability to unleash a cyber attack. The existence of an underground economy enables cyber-criminals to adopt the newest technologies at the fraction of the costs needed for cybersecurity defence. On the other hand, cybersecurity requires substantial investments for protecting organisations from every single or majority of possibilities while cyber attackers need far fewer resources as it is sufficient to find a single vulnerability and exploit it.
The poor security of the IoT products consequently poses an inherent risk to the security of individuals and organisations which use them. The IoT manufactures are pressured to get their devices to the market quickly, often compromising on security. Even if they may offer cybersecurity upgrades, they often stop with that practice once they focus on constructing the next device.
Malicious hackers are fully aware of these shortcomings and can easily get into the IoT device by using a piece of computer code that searches for any internet-connected devices that have default settings or weak security.
In October last year, for example, the Internet had its biggest interruption to date when a large number of major websites were maliciously closed by a cyber-attack dubbed as ‘Mirai’ botnet attack. Exploiting the weak security of Internet-connected devices, such as security cameras and ‘smart’ recorders, the attackers caused the traffic-overload to shut the Dyn, the US East Coast major domain name service provider. The effect was astonishing. The major websites including Amazon, Netflix, The New York Times, Reddit, Twitter, Spotify, Playstation, Airbnb, Heroku, Vox, The Boston Globe, PayPal, and many others, were knocked out! Their customers were justifiably irate.
A report published by Gartner last year predicts that by 2020, more than 25% of identified attacks within enterprises will involve IoT. According to Gartner, spending on IoT security will reach 547 million USD by 2018 and then IoT security spending will accelerate in about five years.
Be smarter than your ‘smart’ devices
Should we then refrain from buying and using ‘smart’ toasters and other ‘smart’ gadgets? The 2016 ESET survey showed that 50% of consumers indicate that concerns about the cybersecurity of an IoT device have discouraged them from purchasing one. At the same time, 72% of respondents were more concerned with hackers getting into their computer and/or smartphone than getting into the IoT devices and ‘living’ in their house without their knowledge.
However, to advise against IoT devices would be equivalent to advising people not to use electricity because it might be dangerous. What is needed is to outsmart our ‘smart’ devices. In other words, we need to practice ‘cyber hygiene’ thus, exercising ‘smart control’ over the powers of our ‘smart toys’.
While the IoT manufacturers, creators of standards and governments have a huge role to play in securing vulnerable ‘smart’ devices, consumers must also take some personal responsibility and become the first line of defence. This practically means that users should make at least brief exploration of how IoT devices could be (miss)used to harm them. The users should also read any agreement they sign when receiving a device. It would be helpful to learn about the manufacturer’s safekeeping policies regarding the data gathered by ‘smart’ devices as sometimes the trade-offs are unacceptable.
However, the advice given to the IoT users are often far over the heads of non-technical IoT consumers. For these users, it is advised to become a bit more technical savvy or to solicit professional advice. For those fairly technically inclined, here are a few more recommendations.
In order to prevent hackers to easily gain access to your newly bought router that connects IoT devices, it is imperative to immediately change the default password. The RSA 2016 report confirmed that 81% of data breaches in 2016 were attributed to weak, default or stolen password. Changing this password every three months and regularly updating software on all devices should become a part of ‘security hygiene’. Furthermore, it is essential to deploy and regularly update cybersecurity software that allows for viewing and managing the devices that access the network.
Many IoT devices try to connect to the router to open up inbound holes so they can accept connections from outside. Although this makes it easier to access the internet, it also exposes the IoT devices to malicious activities. Hence, it is important to limit the access and privileges to the connected devices. Turning off Universal Plug and Play (UPnP) on the router and IoT devices can prevent this exposure.
Should our ‘smart’ toaster be able to access our contact list? Will the fridge ever need to communicate with our front door lock? The answer should be a firm no! Hence ESET advises that we should ensure that devices and apps do not have free rein to unnecessary communicate with other IoT appliances. This practice prevents infection of other IoT gadgets if one device is breached.
It is also advisable to connect to the Internet only necessary IoT devices. The IoT industrial users should particularly consider whether continuous connectivity is needed given the use of the IoT device and the risks associated with its disruption. Hence, it is advised to connect carefully and purposely.
It is also vital to carefully select devices that will be linked to cloud computing services. IoT devices that require cloud computing services are often considered less secure as they potentially can give away more information than those locally controlled.
From an organisational viewpoint, it is advisable not to take personal IoT devices to work or connect them to the organisational network without permission from IT departments. Insecure devices could allow cyber-attackers to gain access to the organisational network, which can result in stealing data, illegal surveillance or disruption of business processes.
There is much more advice on how organisations can protect its connected devices from being misused or abused. For example, the US Department of Homeland Security gives specific recommendations in the form of Strategic Principles for Securing the IoT. For instance, incorporating security at the design phase is essential as cybersecurity should be evaluated as an integral component of any network-connected device. It is, however, often happening that economic drivers motivate businesses to push devices to market with little regard for cybersecurity. It seems that the makers of these often addictively convenient gadgets are consistent in one thing: they still have a business strategy of “sell more now and fix it if we get bad exposure”.
This sounds like a long overdue wake-up call that should force the hardware and software makers as well as cybersecurity industry to improve security and safety of our beloved IoT gadgets. Unless it happens, an increased number of attacks are imminent. Drawing a parallel, it would be unimaginable for a customer to buy a car that has no guarantee for the safe use of the steering wheel or brakes. Why then should we buy IoT gadgets that do not guarantee our digital safety and security?