Tuesday, 17 February 2015
Is Internet of Things (IoT) A Security Timebomb?
Hailed as a panacea by those for whom the world cannot move quickly enough, the Internet of Things has been a long time coming. But is Internet of Things security up to scratch?
Several false dawns later, however, the Internet of Things is finally here. For me the tipping point, the moment of realization, was the arrival of the WiFi kettle – a device whose existence used to be an in-joke I shared with former colleagues. “When the WiFi kettle arrives”, we’d say, “then the internet will be complete”.
Now, though, it seems that the possibility of coming home to ready-boiled water isn’t so much a glorious triumph of connected technology as a reason to be fearful for our home security. Because, as a Gartner executive warned last week, the Internet of Things is opening up a new Wild West of internet security.
“Some of the leading vendors that are developing products are making some effort to address security concerns, but Gartner believes the majority aren’t at this stage – convenience, user friendliness, time-to-market all win out over security at this point”, said Earl Perkins, research vice president at Gartner.
He’s right. The reality is that in our eagerness to finally have the Internet of Things – and in the eagerness of companies to sell us the Internet of Things – security is being given a pass.
You think internet security is a minefield now? What will it be like when every household has dozens of new devices connected to the internet, each with its own firmware and network access permissions?
The multiplication of attack vectors is already borne out by a wide range of case studies. Baby monitors, which often come with two-way audio as well as one-way video functions, have been hacked by abusive – if not actually dangerous – individuals, most recently in Houston, Texas last month.
Then there’s Google’s much vaunted Nest thermostat – the eco-friendly must-have smart heating solution. Last August, hackers took just fifteen seconds to re-root a Nest with infected firmware. Granted, it required physical access which greatly reduces the risk, but as Computer World points out, how many people might buy a Nest second-hand, or from eBay?
It goes on. Smart LED light bulbs have been hacked to reveal credentials for the wifi network, allowing the hacker to control the lighting system. ‘Smart’ doorbells and entry systems have proven similarly vulnerable; the appeal to would-be thieves is obvious.
Internet of Things security risks aren’t limited to vulnerabilities, however. The very functions that make our connected devices appealing may also be our undoing, if they are not properly curbed. Samsung TVs have recently been revealed to be recording, collecting and transmitting everything that is said within range of their microphones, to be sent to third party companies.
Whatever the ‘Thing’ being hacked in the Internet of Things is, it doesn’t really matter. It can be your fridge or your front door – the risks are the same. Your WiFi details can be compromised, and your devices put to use in a botnet, facilitating further hacks. Or the various information your devices have about your lifestyle can be put together to aid bricks-and-mortar crime, or steal aspects of your identity you didn’t think possible. Your eating habits; how warm you like the house; the hours you keep; even the pet names you have for your spouse. What about when you connect your fitness band? Your weight, blood pressure and sleeping habits are now up for grabs.
Internet of Things devices need to be protected like computers, phones or tablets. They need to stop storing password data in plain text, and they need to be prevented from over-gathering data in commercial interests. They need to be better-made, and consumers need to be better-informed.
With a report recently published by the FTC, and Internet of Things security currently up for debate in the US Senate, maybe we are finally nearing some action on security for connected devices. But it can’t come soon enough.