The Internet of Things (IoT) gives everything an IP address so that everything can communicate with more or less anything and anyone else. The benefits and possibilities are almost infinite. But aren’t these technological developments evolving rapidly, maybe too rapidly? Smart TVs, gaming consoles, tablets, smartphones and cars can eavesdrop on us. Cameras in your laptop, smartphone and smart TV can watch us when we don’t want them to. Samsung is amending its user agreements to reassure people about the voice control on its smart TVs. BMW is rolling out a software update for the ConnectedDrive system in 2.2 million cars to prevent hackers easily being able to open the doors of the cars. These are the first signs that possibly too much has been started without reflection.
Research commissioned by US Senator Edward Markey in 2013 among 20 different car manufacturers, of which 16 participated, “reveal that there is a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle or against those who may wish to collect and use personal driver information.”1 Security expert Jack Barnaby showed some years ago that heart valves and insulin pumps were not safe from hackers either.
The most splendid technologies have been gradually creeping into our everyday lives before this question has been fully answered – just think of the rise of smart watches. Aside from disturbing you unnecessarily by vibrating while you are giving your business presentation, you can also use them to read mail, look up contacts, check your calendar and, soon, use them to pay for your cup of coffee. But even more importantly, the watch can count your steps, monitor your heart rate and even determine your sleep pattern. All the data is sent to servers ‘in the cloud’.
And so, in one way or the other, most smart devices collect a great deal of personal information about the user. What happens to that data? There is a very high risk that part of your daily routines will be used to bombard you with targeted advertising later, and, in many cases, you have actually consented to this when you accepted the terms of use, which nobody reads. This is where the interface with Big Data, and its proper processing, lies. What is the provider’s attitude to your privacy? And who guarantees that this data is not shared with your health insurance company?
Another concern is the security of the data: strong passwords simply are not always enforced in the modern IoT world. Even worse, not one of the devices I investigated offers the option of 2-factor authentication, but you can operate them all remotely or download data from them via the Internet.
Maybe I’m doing the suppliers of these types of device a disservice because they are primarily concerned with features and ease of use and they are not as security-minded as I am. But it’s now clear that something has to change.
A study, published by HP2, showed a number of serious security gaps in a lot of smart equipment. Further investigation carried out made it clear that the software update systems for some of these types of system are not secure. Authentication to the download server was rated very weak and in some cases it seems it is even possible to modify the software on the download server.
It’s a dream come true for cybercriminals who, when they read this report, will know exactly how to blackmail users by using software to start a fire remotely in someone’s smart home, for example using the thermostat to turn up the temperature in the house to boiling point.
According to research, it also seems easy to instigate a brute force attack to get into the cloud interface of most systems. This allows a criminal to pose as the legitimate user and easily see whether or not you are home. Operating your security camera is just a nice bonus for the criminal.
Another problem is the poor encryption of the data that is sent between the smart devices. Passwords and personal data are easily available to someone with the right knowledge and tools. This also means that your corporate data can easily be intercepted: just by reading a work e-mail on your smart watch.
I advise manufacturers of smart devices to seek out co-operations with the security industry. It will not be very complicated to improve on some of the aspects highlighted above. The security industry already has experience in this so there is no need to reinvent the wheel. Consumers, on the other hand, will need to look more carefully at the potential security risks when they buy these types of device. The use of strong passwords for the applications is key to this. For businesses, a way of implementing a filter between IoT devices and the rest of the network seems sensible.
Fortunately there is still no standard for operating systems for smart devices, which at least has an inhibitory effect on malware writers (which operating system should they choose?). The drawback, though, is that there is still no security software for most smart devices.
I am convinced the Internet of Things will bring about much that is good. I can already hardly live without it. It is already making our lives easier. But there are still some essential security steps that are needed before I will recommend the use of smart devices to everyone.
——————-
1 www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf
2 www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf
The original Flemish/Dutch article can be found at DataNews.
This article was originally published at the security blog from G DATA in English and German.