June 4, 2019
Most adults over the age of forty were raised during a time when you had to get up to change the channel on a TV or make frequent trips to the laundry room to see if the dryer had finished. Those were the days when nothing was controlled by an app on a smartphone. Those days are long gone.
Along came the internet, followed by the internet of things (IoT), and now the days of being disconnected are far behind us. In today’s digital world, everything from a refrigerator to a car or a heart monitor is ‘smart,’ but are these devices smarter than hackers?
Many people shrug off the vulnerabilities of connected devices with a simple, “I have nothing to hide, so I don’t care if I get hacked.” But the security of IoT devices isn’t only about protecting data. In some cases—a growing number, in fact—the lack of security in connected devices can result in physical harm.
Connected Devices that Open Doors to Home Networks
Any device that is directly connected to the internet or can be controlled by an app is vulnerable to attack for several different reasons. Among the many reasons IoT devices are vulnerable, the top three are failure to update firmware, the use of weak passwords and failure to practice good online hygiene, according to a December 2018 report from Bitdefender.
The report found that because of these weaknesses, attackers are able to access banking information, private photos, emails, home security cameras and pretty much anything that is connected to a home network, though the most popular devices in the average home are smartphones, smart TVs and tablets.
While the report noted that 58 percent of owners surveyed said they use a different password for each smart device, only 24 percent have several different passwords that they use randomly, with nearly 5 in 10 smart TV owners admitting that they have never changed the password on their device.
In addition, half also fail to update software apps on a monthly basis and 6 in 10 confessed that they have never performed any firmware updates on their wireless router.
Though the dangers posed by some connected devices are obvious, “there are many other IoT devices that can cause lots of indirect damage,” said Asaf Ashkenazi, chief strategy officer at Inside Secure.
Whether it’s connected printers, smart thermostats, surveillance cameras, or connected light bulbs, the IoT devices connect to our home or organizational networks might not cause direct harm, but they are the ones Ashkenazi most concerned with today.
“These devices can be manipulated to be the hacker’s gateway to your home or organization’s network. These devices tend to have very little security and they are rarely being serviced or patched for software vulnerabilities. They are an easy target for hackers, and the actual number of these devices around us is growing exponentially.”
Doing No Harm Starts at the Development Stage
Though users may be apathetic about updating firmware and software on their TVs, these devices pose little risk of physical harm aside from the unnerving emotional trauma of finding that an attacker has been eavesdropping on you. Certainly, the news that an intruder had compromised a Nest because the owner had not changed the password was terrifying, but no physical harm was done.
However, there are many IoT devices that—if compromised—could be disastrous. The possibility of vulnerabilities in medical devices has sparked deep concern as hackers could directly impact patient health and safety. Considering the growing risk to patients, the Journal of Medical Internet Research recently published The Case for A Hippocratic Oath for Connected Medical Devices, which asks, “as the medical community increasingly deploys connected devices to deliver patience care, a critical question emerges: should the manufacturers and adopters of these connected technologies be governed by the symbolic spirit of the Hippocratic Oath?”
Securing medical devices poses several problems. It will require the participation of all stakeholders, not only manufacturers. Additionally, cost could be problematic. Manufacturers would have to make significant investments to advance the security of these connected devices.
“Generally, any device that has a physical impact on our lives, especially when it can lead to injury or even death, is a device that needs to be trusted to operate correctly,” said Ashkenazi. “Now, when such devices rely on software and they are connected to the cloud, they become much more dangerous because they can be attacked remotely by anyone with an internet connection. Therefore, I would say that any device with an impact on our physical lives that is controlled by software and connected to the internet is a high-risk device.”
Taking Risk on the Road
Public security and safety with autonomous vehicles became a greater concern in the aftermath of the accident with Uber’s driverless car. While the accident resulted in a death, it wasn’t because the vehicle was compromised by an attacker, but it is a clear indication that the connected nature of the vehicles poses risks to people and property.
The crash highlights the need for securing connected cars, which can contain many systems that can be controlled remotely via smartphone apps. Using a smartphone, people can lock or unlock a car, even disarm the vehicle’s alarm system, and according to Ashkenazi, each of those actions is only as secure as the code that actually executes it within the apps.
Software applications are used to control IoT devices, which Ashkenazi said could open up a pathway to controlling hundreds or even thousands of devices, enabling a malicious actor access to a car without actually needing to know how to hack a car.
In order to hack a car, an attacker needs to know about the system of that particular car or fleet of cars, which is not that easy given that the attacker would have to actually have access to the car. “They would have to invest a lot of time and money, but attacking an application on a phone, makes it easier. They don’t need to know about the car, just about attacking the application on the phone,” Ashkenazi said.
Creating Safety in Software
As with all aspects of security, there is no one silver bullet that can make networks and the devices connected to them 100-percent safe. According to Bitdefender, an important piece of security is that consumers have an understanding of risk.
“While IoT security awareness should start with manufacturers, it’s also up to individual users to secure their home network and understand the risks associated with poorly secured smart things.”
Awareness of risk can help to change user behavior, but the onus of responsibility does not fall solely on users. Security should exist for application protection regardless of the device it is running on, which is why Ashkenazi said that self-protection on the application is the best way to mitigate the risk of an attacker exploiting a vulnerability.
“This would make it easy and more affordable for developers to protect their application. They don’t need security knowledge, they don’t need to bake in,” Ashkenazi said.
With obfuscation, an attacker can’t see how the application works. Because more lines of code give way to more vulnerabilities, securing software means making sure attackers can’t see the mistakes, and obfuscation hides them, so that malicious actors can’t understand how the app works.
Security is difficult and expensive, but as the risk to public safety becomes an increasing reality with the explosion of IoT, security researchers, manufacturers and policy makers need to work together not only to bring security to the forefront but to make security easy and affordable so that more developers will use it.