Shodan.io – a search engine for internet-connected devices – recently launched a section letting you browse images from unsecured webcams. By searching for webcams that use a vulnerable streaming protocol and lack password authentication, it’s able to populate a feed with snapshots of everything from back gardens to children’s bedrooms. These images are evidence of an unsettling truth: willingly or unwillingly, we’ve opened our homes and businesses to the World Wide Web.
As a result, cyber-criminals now have more potential targets than ever, and they can do a lot more than eavesdrop.
Hacked baby monitors are being used by online predators to threaten parents and scream at toddlers. Attackers can also disable home thermostats or furnaces during the winter months, bursting pipes and causing structural damage. A smart kettle could be used to start a fire in your home.
Given the risks, you’d expect that vendors would harden their devices. But they don’t. Internet of Things (IoT) security is a mess, and most simply opt for the minimum viable product, sacrificing our privacy and safety to push to market.
Believe it or not, this is partially our fault.
Consumers Don’t Really Care About Security…
When you bought your smart fridge, did you ask about the vendor’s patching process? When you came home with a smart thermostat, did you think about whether or not it was hardened against unauthorized intrusion? When you picked up your smart TV, did you ask if your login information would be protected?
In an earlier piece I wrote on digital security, I maintained that the primary reason most people don’t care about their security is a lack of understanding. They don’t know what data may be at risk, and what that may cost them. They should – with IoT, a hijacked device could cause real, lasting physical damage.
People know full well that it’s dangerous leaving the stove on or leaving the curling iron plugged in. Yet when it comes to connected devices, we shrug off the idea that they could be a threat. And that’s a problem – particularly because it isn’t just our homes that are at risk.
We aren’t just connecting more of our appliances to the Internet: we’re connecting our own bodies. Medical technology like pacemakers, heart defibrillators and insulin pumps means that for the first time in history, our bodies themselves can be targeted by cyberattacks. Further, what happens when a smart aircraft is hijacked, or a self-driving car, or a city’s power grid?
…And Vendors Aren’t Held Accountable for Security Flaws
Finally, as touched upon in a recent article by security veteran Jay Barbour, in addition to lacking in security expertise, vendors aren’t held liable for the vulnerabilities of IoT products. They’ve no incentive to ensure those products are secure.
“Many aren’t aware what having an IoT device connected to the Internet entails,” explains BlackBerry Director of Software Security Adam Schieman. “This is not helped by the fact that few IoT vendors apply security patches on a regular cadence, and fewer still disclose the full details of the patches they release. And no one questions it, because it’s not a priority – for vendors or for consumers.”
How Can You Protect Yourself?
The stakes here are a bit higher than discriminatory pricing and fraud, and vendors aren’t interested in helping you guard against risk. How, then, can you avoid damage to your home or harm to your loved ones?
- Do your homework before buying a connected device: Before you purchase a smart device, check what measures the vendor is taking to protect the data stored on their device. How often will they update it? What out-of-the-box security measures are there?
- Always read the TOS: Nobody likes slogging through the terms of service when they purchase a new device, but if you want to ensure your information and well-being are protected, you need to (or find a service that will do it for you).
- Change the username and password: Replace the default settings on any device you purchase with settings of your own – “password” isn’t a very good password.
- Keep things up to date as much as possible: Even in the case of vendors that consistently release security patches, they don’t always download automatically. Keep on top of firmware updates and vulnerability hotfixes.
- Evaluate whether or not you NEED to connect: It’s tempting to buy a smart lock or smart thermostat, but ask yourself: is it something you can wait on until IoT security sorts itself out?
As the world becomes increasingly connected, the number of endpoints through which hackers can steal our information and threaten our well-being increases exponentially. As end users, it falls to us to protect our privacy and safety. Because if we don’t start caring about those things, who will?