For Internet of Things (IoT) optimists, no conceivable limit should be set on the amount and number of “Things” that could and should connect to the Internet. If an object’s utility can be even incrementally enhanced via WiFi, then it deserves a formal invite to the party, whether that object is a smart hairbrush or a connected teakettle.
IoT pessimists, however, believe that putting smart chips in everything and anything is about as intelligent as putting motor oil on your popcorn. Motor oil, good. Popcorn, good. Popcorn with motor oil… Sometimes all you really need is a healthy dose of salt.
Research and advisory company Gartner estimates that over 8.4 billion devices connected to the Internet in 2017, an increase of 30% from the previous year. Current industry practices, however, have not yet caught up with the risks that come with a widely-distributed yet poorly-secured network.
Last year’s massive Mirai botnet DDoS, for example, was initiated by an amateurishly-written script that a hacker derided as “trivial attack code”. And even to this day, most IoT devices can’t be remotely patched, rendering them defenseless against new intrusions.
With current estimates clocking in at 31 billion IoT-connected devices by 2020, we’re long past due for a healthfully skeptical look at the surprising security risks floating about in our midst – and the many ways that leave IoT-enabled devices vulnerable to attacks.
Usually, when someone stops your heart from afar, it’s romantic. But that’s not always the case these days, as very determined assassins can remotely hack into medical devices in order to do their dirty work. Animas’ OneTouch Ping insulin pumps, for instance, contain three security flaws that allow an outside agent to override the device’s insulin flow and administer fatal overdoses.
And at least 10 late-model pacemakers have been hacked by a team from KU Leuven University in Belgium – who, as reported by the Register, “managed to hack pacemakers from up to five metres away, gaining the ability to deliver fatal shocks and turn off life-saving treatment.”
He sees you when you’re sleeping, he knows when you’re awake… No, not Santa Claus, but any hacker with unauthorized access to Internet-enabled plush toys like Cloudpets may listen in on your private messages.
In 2017, it was discovered that over 2 million voice recordings created by Cloudpets devices were stored in a badly-secured database; worse, the security consultant who figured out the breach “tried to contact CloudPets three times to warn them about the exposure,” wrote Microsoft MVP and online security consultant Troy Hunt.
“Three attempts to warn the organization of a serious security vulnerability and not a single response.”
Hackers can now hold a hotel’s guests for ransom. Just ask the Romantik Seehotel Jaegerwirt in Austria, whose keycard system was held hostage by hackers, locking the hotel’s 180-plus guests out of their rooms. The culprits demanded a payment of €1,500 in Bitcoin, which was promptly paid.
To prevent any further attacks, the Seehotel Jagerwirt decoupled their systems from the Internet, helping to ward off a later attack from the hackers coming in through a backdoor.
Automatic carwashes may not be as operator-free as you think. At a Black Hat conference last year, hackers demonstrated a hijack of the Laserwash platform that could maim or kill unsuspecting clients. “We’ve written an exploit to cause a car wash system to physically attack; it will strike anyone in the car wash,” boasted hacker Billy Rios.
Rios and his partner managed the exploit by using the default password “12345”, which is only rarely changed by clients. The Laserwash manufacturers later admitted that “it wasn’t possible to patch against the aforementioned exploits.” You might be better off grabbing a bucket and just waiting for rain.
In a horrifying case of manufacturer overreach, Denis Grisak, founder of connected garage door opener Garadget, bricked a user’s device after the latter wrote a scathing review of the product on a support page. “I’m not going to tolerate any tantrums,” Grisak fumed. “Your unit ID 2f0036… will be denied server connection.”
The backlash was immediate: bad press and more negative reviews on Amazon forced Grisak to back down on his threat. But the whole incident left a bad taste in many IoT watchers’ mouths – unlike their “dumb” counterparts, Internet-enabled devices can grant manufacturers continuing access long after the device has left the factory floor.
“If your devices rely on someone else’s servers to run, and they can be remotely disabled at any time, do you really own them?” Business Insider’s Rob Price asked.
We only have two years to go before 2020 – and a projected 31 billion IoT-enabled devices worldwide. If users don’t secure their IoT devices as a first and regular practice –by changing default passwords and disabling Universal Plug and Play, among others– then the devices designed to make our lives easier might just turn into a not-so-merry band of burn-your-toast toasters and vengeful garage door openers. At the very least, let this be a friendly reminder to always do your security homework and to do everything in your power to keep your family, your business and yourself safe as more and more of your devices become connected.