Wrapping security around the Internet of Things is proving to be a complex proposition, and for one senior security analyst, the many definitions of IoT is the primary reason.
“IoT doesn’t have a universally accepted definition. When people think about IoT, they don’t have a clear device in mind,” said Bogdan Botezatu, senior e-threat analyst at Bitdefender.
“Some of them think of smartphones, others think of sensors, connected cameras, thermostats, and so on.
“The common denominator across all of them is that they run their own operating systems, they’re always connected, they exchange data with the world, and they’re all vulnerable to threats.”
Botezatu said what makes IoT security more important than traditional IT security is that it often relates to physical access and control of real-world assets.
“For example, companies are now producing smart ovens, which use electricity and convert it to heat. These could be remotely controlled, and whoever gains access to these devices can actually set your house on fire,” he told IoT Hub.
“Many IoT devices hide their APIs and are essentially ‘black boxes’, and nobody knows what operating system runs on them and nobody can install anything on these devices because they only way you can interact with them is via apps or via minimalistic interfaces.”
The dangers of smart home devices
Botezatu has particular concerns over the increasing proliferation of home appliance manufacturers integrating connectivity into traditionally ‘dumb’ devices.
“I don’t expect everybody to have an understanding of how their connected kitchenware works, for example,” he explained.
“The average consumer may ultimately end up with a kitchen full of appliances that connect to the Internet that they won’t have any control over, because they wouldn’t understand how they connect to the network.
“We’re already seeing fridges sending spam, major botnets using smart power plugs, and people being able to remotely unlock doors or hijack doorbells to obtain Wi-Fi passwords, and so on.”
He is also seeing a worrying trend amongst smart device manufacturers that too little emphasis is being placed on updating the software on their devices, preferring to release updates when the next generation of device is released.
“Version two of the software is usually only bundled with version two of the hardware, so unless consumers purchase the new product when it launches, they’re stuck with a vulnerable version of the software in their household,” he added.
Proximity no longer a prerequisite to attack
Botezatu has observed a worrying trend among smart home device security, in that a hacker no longer needs to be in range of the target network to launch an attack.
“Up until now, you had to be within the range of the user’s Wi-Fi to obtain a hardcoded password or to find a way in,” he said.
“Now, things are becoming more complicated, as smart home devices increasingly communicate with a server that in turn communicates to other smart devices around the world, and through our testing we’ve discovered that we can inject commands which the server can then send to every active device in the world.
“Hackers can now create a million-device botnet that can attack websites or perform other types of malicious activity.”
What can consumers do to protect themselves?
Botezatu said that the most important step for consumers to take to protect their devices and networks is to increase their awareness of the threats out there.
“First of all, they need to be aware of the danger. This is the most difficult part, that even now in 2016, people think of smartphones as regular phones, for example, and still treat them as a simple device, and not a portable computer,” he explained.
“The same thing goes with appliances. When the majority of consumers look at an intelligent washing machine, all they see is the washing machine, not the software, or the connection to the Internet.”
“Furthermore, even if you’re aware of what’s going on and that your devices could be compromised, there’s no easy way to determine if your devices are vulnerable on any given day, as new vulnerabilities for existing devices are being discovered all the time.”
He said that best way for consumers to ensure that their smart devices are as secure as possible is to subscribe to a service that can perform regular audits of their equipment and test them for vulnerabilities, or failing that, regularly checking manufacturer websites for security updates, if available.