If you’ve been following tech news, you’ve probably heard of IoT, the Internet of Things. In case you haven’t, IoT refers to the latest generation of “smart” devices which encompass everything from smart lightbulbs to smart refrigerators to smart thermostats and smoke detectors. All of these devices are designed to connect to the Internet and the other devices in your house to enable intelligent behavior.
Imagine sitting down on the couch to watch Netflix and your lights automatically dimming as the movie starts. Imagine walking up to your front door and your phone automatically unlocking the door because it has recognized your home network.
That’s the dream of the internet of things.
It sounds pretty good doesn’t it?
If you were thinking that sounds too good to be true, you were right. Not because those products don’t exist, they all do (well, you’ll have to do a little tinkering for the Netflix one) but because most of these devices have huge security vulnerabilities. Once these devices leave the factory, most will never receive a software update or if they do, you can bet security updates will stop as soon as next year’s model ships. That might not sound too bad to you, but do you remember Heartbleed, Shellshock, or POODLE?
It’s safe to say that 2016 will have at least one major security vulnerability that will affect most of the IoT devices out there.
Security Last
If that’s not bad enough, many IoT devices come with poor or no security at all. Username and password combinations of “admin” and “admin” are common, allowing anyone to access the device. Matthew Garret, a security developer at CoreOS, on a smart lightbulb he bought, “[it] has a cloud access protocol that has no security whatsoever and also acts as an easy mechanism for people to circumvent your network security. This may be the single worst device I’ve ever bought”.
His Twitter feed is a graveyard for IoT security
In summary: 1) GPL violating 2) no local network security 3) no remote network security 4) commands that crash 5) not actually good bulbs
— Matthew Garrett (@mjg59) February 24, 2016
Two IoT devices I have ever bought without being able to hack within days. Two.
And one of those was Barbie.
— Matthew Garrett (@mjg59) February 24, 2016
Look I do not go out of my way to buy technology that terrifies me so the overwhelming probability is that most of it is this bad
— Matthew Garrett (@mjg59) September 25, 2015
The Rise of the Machines
It’s not hard to imagine malware making use of these insecure devices to spread from network to network, house to house, infecting your lightbulbs and using them as a beachhead for assaults on your computers. Or worse, causing physical damage to your property, for example, by overheating or triggering defects in the physical hardware itself. Or silently betraying your privacy to anyone interested enough to listen. The smart lock on your front door could be hacked to open for anyone. The smart fridge that lets you record voice messages for your family could be hacked to record everything said in the kitchen. The smart TV that lets you Skype with friends could be hacked to constantly stream video to the internet.
The Internet of Things has many amazing gadgets but the implications of its currently poor security on our safety and privacy are huge. Hopefully as it matures, manufacturers will give their devices’ security the level of attention it deserves. Until then, the internet of things will remain the internet of vulnerable things.