- The number of IoT devices is predicted to reach 26 billion by 2020
- Sometimes, a simple web search is all it takes to hack a smart home device
- The Mirai botnet attack made IoT security a hot topic
- The world’s governments are finally starting to take the threat seriously
Security is usually something people take very seriously. That’s why you don’t leave your front door or your car unlocked or let any random stranger off the street simply walk into your home. Yet, most people just don’t seem to apply the same level of scrutiny to the smart devices they bring into their homes, despite their well-documented security issues. And that’s a big mistake.
The number of IoT devices is predicted to reach 26 billion by 2020
Over the last couple of years, we’ve witnessed a proliferation of smart home devices, ranging from the extremely useful to the downright bizarre. While it may be perfectly reasonable for a security camera to be connected to the internet, the same can’t exactly be said for something like a toaster, a vacuum cleaner, or a trash can. Yet, since they make our lives easier and more convenient, people keep buying them, and about 62 per cent of US adults now own at least one connected device. Gartner predicts that there will be more than 26 billion IoT devices in the world by 2020, while the value of the global IoT market is expected to reach 1.7 trillion by 2019. Perhaps unsurprisingly, this growth in the number of IoT devices has been accompanied by the rising incidence of cyber-attacks directed against them, with Symantec reporting a staggering 600 per cent increase in the total number of IoT attacks between 2016 and 2017.
Sometimes, a simple web search is all it takes to hack a smart home device
IoT technology can be incredibly vulnerable to hacking, and each new device you bring into your home represents a potential point of entry for cyber-criminals. The main reason for this lack of security is that manufacturers, rushing to take their products to market to take advantage of this booming trend, often disregard this aspect during product development. It takes time and money to implement strong security features into IoT devices and it can potentially hinder their performance, so manufacturers often decide that it’s just not worth the effort.
Assigning weak login credentials, such as ‘admin’, ‘12345’, ‘root’, or ‘password’, is one of the most common ways manufacturers leave their devices exposed to outside attacks. A 2017 study by Positive Technologies revealed that 15 per cent of IoT devices out there (in shops and in people’s homes) still use default login credentials, while 10 per cent of them have been assigned one of the five most popular username/password pairs. To make matters worse, these credentials are often hard-coded into the devices, which means that users can’t change them even if they wanted to. As a result, all it takes for a hacker to gain access to the device is a simple web search for its default username and password.
A recent study by researchers at Ben-Gurion University reveals just how easy it is to compromise smart home devices. The study encompassed 16 off-the-shelf smart home devices, including home security cameras, doorbells, thermostats, and baby monitors, some of which they were able to hack in less than half an hour. “It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand,” says Omer Shwartz, one of the researchers on the project. “Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely.” According to Yossi Oren, another one of the researchers, they were able to “play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely”.
The Mirai botnet attack made IoT security a hot topic
The first recorded IoT-based cyber-attack involving everyday smart home devices occurred between December 2013 and January 2014, when cyber-criminals took control of more than 100,000 compromised IoT devices, including routers, TVs, multimedia centres, and refrigerators, and used them to send more than 750,000 malicious emails to individuals and enterprises. The attack proved difficult to block because they never sent more than 10 emails from a single IP address. Things have gotten progressively worse since then, culminating with the now infamous Mirai botnet attack in October 2016. During this attack, hackers used a network composed of poorly secured devices like routers and security cameras to launch the largest DDoS attack in history on Dyn, the company that controls much of the world’s DNS infrastructure. The attack resulted in some of the world’s most popular websites, including Twitter, Netflix, PayPal, Reddit, and the PlayStation Network to be unavailable.
And it seems like researchers are discovering new major flaws and vulnerabilities in IoT devices every week. In July 2017, the IoT security firm Senrio announced it discovered a security flaw in a piece of code used in a wide range of physical security products, including security cameras, sensors, and access-card readers, which allows attackers to gain access to an otherwise secure network using a single vulnerable device. Known as the Devil’s Ivy, the vulnerability affects millions of existing IoT devices, and although some of the manufacturers have already issued patches to fix the problem, many of these devices remain unprotected. To demonstrate just how dangerous this flaw can be, Senrio staged a fake attack in which it took control of a security camera and a router that are still known to be vulnerable to the flaw. During the attack, they gained access to other secured devices on the network that contained financial and private data.
The world’s governments are finally starting to take the threat seriously
This prompted even the FBI to get involved and issue an alert warning people about the dangers of unsecured IoT devices. “Devices in developed nations are particularly attractive targets because they allow access to many business websites that block traffic from suspicious or foreign IP addresses. Cyber actors use the compromised device's IP address to engage in intrusion activities, making it difficult to filter regular traffic from malicious traffic,” notes the alert. According to the FBI, the attackers can use these devices to send spam emails, generate click-fraud activities, conduct credential stuffing attacks, and sell or lease IoT botnets to others.
The US government responded to this growing threat by passing the Internet of Things Cybersecurity Improvement Act in 2017, which sets security standards for IoT devices that are sold to the government. While the act currently only protects the government from IoT security threats and doesn’t reference consumer devices, it still marks an important step towards solving this issue. Similarly, the UK government is also working on setting security rules for IoT products, while the European Union's cybersecurity agency ENISA is looking to establish a common policy framework for IoT security.
IoT devices have brought unprecedented convenience to our lives, and judging by the numbers, they’re here to stay – security flaws and all. So, is there anything users can do to protect themselves? The simplest solution would be not to buy any IoT devices in the first place, but that’s not very likely to happen. The next best thing you can do is make sure to buy IoT devices only from reputable manufacturers that have demonstrated they take security seriously. Then, you need to immediately change the default login credentials and never use the same password for multiple devices. And, last but not least, try to keep your IoT devices on a separate network and make sure they’re always up to date. That way, you’ll be able to enjoy the convenience IoT devices provide safely and securely.